Merge branch 'develop'

Reviewed-on: http://git.panaetius.co.uk/dtomlinson/ansible_linux_setup/pulls/1

.gitignore

@@ -0,0 +1 @@
+password

README.md

@@ -1 +1,21 @@
-ansible_linux_setup
+# ansible_linux_setup
+
+## Varaibles
+
+`nvm_version` for the latest version of nvm needs updating.
+## Linux server setup
+
+### `provision.yml`
+
+- Set `hosts` to `all`
+- Set `target_system` to `linux`
+
+## Mac setup
+
+### `provision.yml`
+
+- Set `hosts` to `127.0.0.1`
+- Set `connection` to `local`
+- Set `default_user` to Mac user
+- Set `default_user_group` to Mac user's group
+- Set `ansible_become_pass` to users password for sudo

ansible-requirements.txt

@@ -0,0 +1,2 @@
+pipx inject ansible passlib
+pipx inject ansible docker

commands

@@ -0,0 +1,24 @@
+# Commands
+
+## Playbook
+
+### tags
+
+`ansible-playbook -b test.yml --vault-password-file password --tags rust`
+`ansible-playbook -b test.yml --vault-password-file password --tags "setup,terraform"`
+
+### run on Ubuntu in a venv
+
+`ansible-playbook -b provision.yml --vault-pass-file=password -e ansible_python_interpreter=/usr/bin/python`
+
+## Galaxy
+
+### install requirements
+
+`ansible-galaxy install -r requirements.yml`
+
+## Vault
+
+### Encrypt
+
+`ansible-vault encrypt_string 'email-smtp.eu-west-1.amazonaws.com' --name 'vault_smtp_hostname' --vault-pass-file ./password`

group_vars/all.yml

@@ -1,30 +0,0 @@
----
-# general settings
-default_username: debian
-dot_forward_email: <YOUR_EMAIL_GOES_HERE>
-private_key: .ssh/id_rsa
-public_key: .ssh/id_rsa.pub
-ntpserver: pool.ntp.org
-timezone: Europe/Rome
-
-# default sshd port
-sshd_port: 22
-
-# generate random passwords for default user and root user
-default_password: "{{lookup('password', '/dev/null length=15 chars=ascii_letters,digits,punctuation')}}"
-root_password: "{{lookup('password', '/dev/null length=15 chars=ascii_letters,digits,punctuation')}}"
-
-# unattended packages install configuration
-unattended_mail: "{{dot_forward_email}}"
-unattended_remove_unused_dependencies: true
-unattended_automatic_reboot_time: "03:00"
-unattended_update_days: "Sat"
-unattended_clean_interval: 7
-
-# fail2ban
-fail2ban_loglevel: INFO
-fail2ban_services:
-  - name: ssh
-    port: ssh
-    filter: sshd
-    logpath: /var/log/auth.log

group_vars/all/apt.yml

@@ -0,0 +1,64 @@
+---
+packages_to_install:
+  - acl
+  - atop
+  - bash-completion
+  - bc
+  - build-essential
+  - cryptsetup
+  - curl
+  - curl
+  - dnsutils
+  - dos2unix
+  # - exim4
+  - git-core
+  - glances
+  - gnupg
+  - gzip
+  - hddtemp
+  - htop
+  - jq
+  - libbz2-dev
+  - libffi-dev
+  - liblzma-dev
+  - libncurses5-dev
+  - libreadline-dev
+  - libsqlite3-dev
+  - libssl-dev
+  - libxml2-dev
+  - libxmlsec1-dev
+  - llvm
+  - lm-sensors
+  - logrotate
+  - lvm2
+  - lynx
+  - mlocate
+  - neofetch
+  - net-tools
+  - netcat
+  - nmap
+  - ntp
+  - parted
+  - pkg-config
+  - psmisc
+  - python-apt
+  - python3-pip
+  - python3-venv
+  - rclone
+  - rename
+  - reptyr
+  - rkhunter
+  - rsync
+  - screen
+  - sshfs
+  - sudo
+  - tk-dev
+  - tmux
+  - ufw
+  - unzip
+  - vim
+  - wget
+  - wget
+  - xz-utils
+  - zlib1g-dev
+  - zsh

group_vars/all/cargo.yml

@@ -0,0 +1,8 @@
+---
+cargo_packages:
+  - cargo-update
+  - exa
+  - bat
+  - fd-find
+  - ripgrep
+  - bottom

group_vars/all/docker.yml

@@ -0,0 +1,15 @@
+docker__channel: ["stable"]
+docker__edition: "ce"
+docker__version: ""
+docker__state: "present"
+docker__users: ["{{ default_user }}"]
+docker__daemon_flags:
+  - "-H unix://"
+docker__cron_jobs_prune_flags: "af"
+docker__cron_jobs:
+  - name: "Docker disk clean up"
+    job: "docker system prune -{{ docker__cron_jobs_prune_flags }} > /dev/null 2>&1"
+    schedule: ["0", "0", "*", "*", "0"]
+    cron_file: "docker-disk-clean-up"
+    user: "{{ (docker__users | first) | d('root') }}"
+    state: "present"

group_vars/all/fail2ban.yml

@@ -0,0 +1,6 @@
+fail2ban_loglevel: INFO
+fail2ban_services:
+  - name: ssh
+    port: ssh
+    filter: sshd
+    logpath: /var/log/auth.log

group_vars/all/mac.yml

@@ -0,0 +1,3 @@
+homebrew_installed_packages:
+  - readline
+  - xz

group_vars/all/npm.yml

@@ -0,0 +1 @@
+nvm_version: v0.37.2

group_vars/all/python.yml

@@ -0,0 +1,6 @@
+install_pyenv_python: true
+pyenv_python_version: 3.9.1
+pipx_packages:
+  - awscli
+  - ansible
+  - httpie

group_vars/all/rust.yml

@@ -0,0 +1,2 @@
+---
+install_cargo_packages: true

group_vars/all/setup.yml

@@ -0,0 +1,11 @@
+# Time
+ntpserver: pool.ntp.org
+timezone: Europe/London
+
+# Email
+dot_forward_email: dtomlinson@panaetius.co.uk
+smtp_hostname: "{{ vault_smtp_hostname }}"
+smtp_port: 25
+smtp_auth_user: "{{ vault_smtp_auth_user }}"
+smtp_auth_pass: "{{ vault_smtp_auth_pass }}"
+smtp_mail_from: "test-server@panaetius.co.uk"

group_vars/all/ufw.yml

@@ -0,0 +1,12 @@
+# Not implemented: FW can be manually tweaked as necessary
+
+# Local LAN IP-range addresses
+# local_lan: "192.168.0.0/16"
+# docker_overlay_ips: "172.0.0.0/8"
+
+# ufw rules
+# ufw_rules:
+#   - {rule: allow, port: 22, src: "{{local_lan}}", proto: tcp, direction: "in"}
+#   - {rule: allow, port: 22, src: "{{docker_overlay_ips}}", proto: tcp, direction: "in"}
+  # - {rule: allow, port: 80, src: "0.0.0.0/0", proto: tcp, direction: "in"}
+  # - {rule: allow, port: 443, src: "0.0.0.0/0", proto: tcp, direction: "in"}

group_vars/all/user.yml

@@ -0,0 +1,3 @@
+default_user: plex
+default_user_group: "{{ default_user }}"
+default_user_password: "{{ vault_default_user_password }}"

group_vars/all/vault.yml

@@ -0,0 +1,41 @@
+vault_default_user_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65616334373032636534383932373465623634363431323863393839663937613838383566383035
+          6133633038623361636630346233643838623533383333300a356332363165376330376236356665
+          37656230373838373038386234326563656637306236383162383866343163623366356631373862
+          6631616666363137620a363835316632313730623534353336303730363964653231336139383961
+          6361
+
+vault_smtp_hostname: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38373930343363666238326563663338386232386265663663663732313165613437303663333232
+          6266373339613864386638323436373363623937326130610a373530366237626564303666386364
+          39313063346137373132363331373261653736316662666431636363613338303034623430653033
+          3764613532646232630a373032356364636566376638646162623034623663313263326630306564
+          38323835356437326431323637323432363630653738383936343737333634636662396535383164
+          6334343166613762373130653961663334393335363066643539
+
+vault_smtp_auth_user: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66313165326136343630393030366662303639626237376563633035326636343866363933613436
+          3235333533353136333564363134626136326565383866650a343865626363346565336131643832
+          38656463393930376437356634633531656636666266623639663638613563613263356639313939
+          3838356561306466650a623066303265353361633238643161306562336163623436643736653535
+          64646164346366663766366136323661663731393136643238633435643739316531
+
+vault_smtp_auth_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36336437393838663665383465313432373866656461356635646331396165323132623163343762
+          3031666331323464326538373839373933336130303537350a326538393330303339626565646434
+          36656665313166653534663237633665633434643166633862326136643738636265396439613465
+          3661316235633830640a333939393762303035653632303664623465373431313061643438616363
+          30343535323764636437656431313430663536316132366361666436643732636363666266353162
+          3362343930306564656331643135363264346263663739616637
+
+# ansible_become_pass: !vault |
+#           $ANSIBLE_VAULT;1.1;AES256
+#           66346462356439303239356536363866646632343461616466343864653131333764633031333034
+#           6335666330663232633236363737393835633039323239660a363564663664353562356564346466
+#           36623139376461373938366136323336633939353064633061653463323638643236313162306661
+#           6134613531633131300a313037303233623832346465316238316238643035356462303430323362
+#           6531

group_vars/apt.yml

@@ -1,49 +0,0 @@
----
-# packages to install
-packages_to_install:
-    - sudo
-    - python-apt
-    - git-core
-    - ufw
-    - dnsutils
-    - build-essential
-    - acl
-    - screen
-    - bash-completion
-    - ntp
-    - jq
-    - htop
-    - psmisc
-    - python-pip
-    - python3-pip
-    - vim
-    - netcat
-    - net-tools
-    - nmap
-    - lynx
-    - wget
-    - curl
-    - gzip
-    - rsync
-    - logrotate
-    # - logcheck
-    - rkhunter
-    - cryptsetup
-    - python-glade2
-    - dos2unix
-    - mlocate
-    - rclone
-    - bc
-    - zsh
-    - hddtemp
-    - lm-sensors
-    - qemu-guest-agent
-    - atop
-    - sshfs
-    - reptyr
-    - lvm2
-    - parted
-    - rename
-    - glances
-    - gnupg
-    - exim4

group_vars/docker.yml

@@ -1,23 +0,0 @@
----
-# flag to install or skip docker module installation and configuration
-install_docker: true
-
-# docker
-docker__channel: ["stable"]
-docker__version: "19.03.5"
-docker__state: "present"
-docker__compose_version: "1.25.0"
-docker__users: ["{{default_username}}"]
-docker__daemon_flags:
-  - "-H unix://"
-  #- "-H unix:// --iptables=false"
-# "a" removes unused images (useful in production).
-# "f" forces it to happen without prompting you to agree.
-docker__cron_jobs_prune_flags: "af"
-docker__cron_jobs:
-  - name: "Docker disk clean up"
-    job: "docker system prune -{{docker__cron_jobs_prune_flags}} > /dev/null 2>&1"
-    schedule: ["0", "0", "*", "*", "0"]
-    cron_file: "docker-disk-clean-up"
-    user: "{{(docker__users | first) | d('root')}}"
-    state: "present"

group_vars/monit.yml

@@ -1,30 +0,0 @@
----
-# monit
-config_monit: true
-monit_enable_email_notifications: false
-monit_email_to: "{{dot_forward_email}}"
-monit_enable_web_server: false
-monit_web_server_allow_list:
-  - localhost
-monit_web_server_local_only: true
-monit_monitor_services:
-  - name: "cron"
-    monitored: true
-    pidfile: "/var/run/crond.pid"
-    start_program: "/usr/sbin/service cron start"
-    stop_program: "/usr/sbin/service cron stop"
-  - name: "fail2ban"
-    monitored: true
-    pidfile: "/var/run/fail2ban/fail2ban.pid"
-    start_program: "/etc/init.d/fail2ban start"
-    stop_program: "/etc/init.d/fail2ban stop"
-  - name: "sshd"
-    monitored: true
-    pidfile: "/var/run/sshd.pid"
-    start_program: "/etc/init.d/ssh start"
-    stop_program: "/etc/init.d/ssh stop"
-  - name: "syslogd"
-    monitored: true
-    pidfile: "/var/run/rsyslogd.pid"
-    start_program: "/etc/init.d/rsyslog start"
-    stop_program: "/etc/init.d/rsyslog stop"

group_vars/networking.yml

@@ -1,14 +0,0 @@
----
-# Local LAN IP-range addresses
-local_lan: "192.168.0.0/16"
-docker_overlay_ips: "172.0.0.0/8"
-
-# ufw rules
-ufw_rules:
-  - {rule: allow, port: 22, src: "{{local_lan}}", proto: tcp, direction: "in"}
-  - {rule: allow, port: 22, src: "{{docker_overlay_ips}}", proto: tcp, direction: "in"}
-  # - {rule: allow, port: 80, src: "0.0.0.0/0", proto: tcp, direction: "in"}
-  # - {rule: allow, port: 443, src: "0.0.0.0/0", proto: tcp, direction: "in"}
-
-# network configuration for our server
-interfaces_template: "interfaces-dhcp-server.j2"

group_vars/vault.yml

@@ -1,15 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36663239336238393633346563366232393635633365343535663163336438613066633062626133
-3630376365643565653430363030616132383332306339370a393139616163366461376133373935
-35386535363862353237306264336230646334346162316666613238343863303336633533626538
-3364313966306362330a626634313961326664303761363635633039333138353331306132636261
-35623366333637353962383730613966336461623936376235313365303661663238316563613838
-33303032306137373863303564643236653530333366366136363837666661663864376139626634
-64613839333335663237333533633464393831663331356437376133396330396661366366373461
-33353462393063313731316364333034373066653563336533363032363038326331303433666634
-62376637343463386538333566303234313330663234313664616433653563353165386366653638
-65613736633135316463316537653638326233353134343537393239663537613734313762346434
-63393437356366613332623666383532363365303239666637666362626366623862666334303537
-35333663343137643737383533323134363937386239616136326534653261636361386463326236
-64306433666465343066333136346434656537626631656632393737626565396130373036333530
-3265646137373062393035636531376339623231366139373664

hosts

@@ -0,0 +1,7 @@
+---
+all:
+  hosts:
+    116.203.223.205:
+  vars:
+    ansible_user: "root"
+    ansible_ssh_private_key_file: ~/.ssh/id_rsa

install.sh

@@ -1,77 +0,0 @@
-#!/bin/bash
-
-usage() {
-    echo "USAGE: ${0} [-h] [-D] -H hostname [-p password_file]"
-    echo ""
-    echo "Configures the given role for the given hostname."
-    echo ""
-    echo "Options:"
-    echo "  -h runs help (this screen)"
-    echo "  -D debug mode on (more verbose output)"
-    echo ""
-    echo "  -H the target hostname to configure"
-    echo "  -p password_file is an optional path to a password file for Ansible"
-    echo ""
-}
-
-# check invocation
-if (! getopts ":hDH:p:" opt); then
-  usage
-  exit $E_OPTERROR;
-fi
-
-debug_mode=0
-
-# parse arguments
-while getopts ":hDH:p:" opt; do
-  case $opt in
-    h)
-      usage
-      exit 1
-      ;;
-    D)
-      debug_mode=1
-      ;;
-  	H)
-      hostname=($OPTARG)
-	  ;;
-    p)
-      password_file=($OPTARG)
-      ;;
-    \?)
-      echo "Invalid option: -${OPTARG}" >&2
-      usage
-      exit 1
-      ;;
-  esac
-done
-shift $((OPTIND -1))
-
-virtualenv -q -p $(which python3) venv
-source venv/bin/activate
-
-# install local requirements for ansible
-ansible-galaxy install -r requirements.yml
-# install additional pre-requirements
-pip install jmespath dnspython
-
-# export ansible variables
-export ANSIBLE_LOAD_CALLBACK_PLUGINS=1
-if [ $debug_mode -eq 0 ] ; then
-  export ANSIBLE_STDOUT_CALLBACK="unixy"
-else
-  export ANSIBLE_STDOUT_CALLBACK="skippy"
-fi
-
-# create hosts file
-echo "[prod]" > hosts
-echo "${hostname}" >> hosts
-
-# run ansible
-if [ -z $password_file ] ; then
-    ansible-playbook -i hosts provision.yml --vault-id @prompt
-else
-    ansible-playbook -i hosts provision.yml --vault-password-file $password_file
-fi
-
-deactivate

provision.yml

@@ -1,38 +1,35 @@
 ---
-- hosts: prod
-  vars_files:
-    - group_vars/all.yml
-    - group_vars/apt.yml
-    - group_vars/docker.yml
-    - group_vars/monit.yml
-    - group_vars/networking.yml
-    - group_vars/vault.yml
-  user: "{{default_username}}"  # run whole script with default user
-  become: yes
-  roles:  # order is not random!
+- hosts: all
+# mac overrides
+# - hosts: 127.0.0.1
+#   connection: local
+
+  # variable flags
+  vars:
+    install_cargo_packages: true
+    install_pyenv_python: true
+    target_system: linux
+    # mac overrides
+    # default_user: dtomlinson
+    # default_user_group: staff
+    # ansible_become_pass: 4Oa;Db5c!
+
+  roles:
     - role: nickjj.fail2ban
-      tags: fail2ban
-    - role: common
-      tags: common
-    - role: ufw
-      tags: ufw
-    - role: user
-      tags: user
+      tags: [fail2ban]
+      when: target_system == "linux"
+    - role: setup
+      when: target_system == "linux"
     - role: ssh
-      tags: ssh
-    - role: nickjj.docker
-      when: install_docker == true
-      tags: docker
+      when: target_system == "linux"
     - role: docker
-      when: install_docker == true
-      tags: docker
-    - role: jnv.debian-backports
-      tags: common
-    - role: ansible-monit
-      tags: common
-    - role: jnv.unattended-upgrades
-      tags: common
-    - role: networking
-      tags: networking
-    - role: reboot
-      tags: reboot
+      when: target_system == "linux"
+    - role: mac
+      when: target_system == "mac"
+    - role: shell
+    - role: npm
+    - role: python
+    - role: rust
+    - role: terraform
+    - role: go
+    - role: cleanup

requirements.yml

@@ -1,6 +1,20 @@
 ---
-- src: nickjj.fail2ban
-- src: nickjj.docker
-- src: https://github.com/mrlesmithjr/ansible-monit
-- src: jnv.debian-backports
-- src: jnv.unattended-upgrades
+# roles
+# linux
+roles:
+  - src: jnv.debian-backports
+  - src: jnv.unattended-upgrades
+  - src: nickjj.docker
+  - src: nickjj.fail2ban
+
+  # mac
+  - src: elliotweiser.osx-command-line-tools
+  - src: geerlingguy.homebrew
+
+  # misc
+  - src: fubarhouse.golang
+
+# collections
+# linux
+collections:
+  - community.docker

roles/cleanup/tasks/main.yml

@@ -0,0 +1,15 @@
+- name: Cleanup tasks
+  tags: cleanup
+  become: true
+  block:
+    - name: Remove temporary directory
+      file:
+        path: "{{ temp_install_dir.path }}"
+        state: absent
+      when: temp_install_dir.path is defined
+
+    - name: Remove temporary root directory
+      file:
+        path: "{{ temp_install_dir_root.path }}"
+        state: absent
+      when: temp_install_dir_root.path is defined

roles/common/tasks/main.yml

@@ -1,95 +0,0 @@
----
-- name: Upgrade packages
-  apt:
-    upgrade: full
-
-- name: Install packages
-  apt:
-    name: "{{packages_to_install}}"
-    state: present
-    update_cache: yes
-    allow_unauthenticated: yes
-
-- name: Install mozilla/sops
-  get_url:
-    url: https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux
-    dest: /usr/bin/sops
-    mode: "0755"
-    owner: root
-    group: root
-  
-- name: Enable dm_crypt module
-  modprobe:
-    name: dm_crypt
-    state: present
-
-- name: Enable compress on logrotate
-  lineinfile:
-    dest: /etc/logrotate.conf
-    regexp: "^#?compress"
-    line: "compress"
-    state: present
-
-# - name: Send logcheck results to right email address
-#   lineinfile:
-#     dest: /etc/logcheck/logcheck.conf
-#     regexp: "^#?SENDMAILTO="
-#     line: "SENDMAILTO=\"{{dot_forward_email}}\""
-#     state: present
-
-# - name: Copy local logcheck ignore rules
-#   copy:
-#     src: templates/local-rules
-#     dest: /etc/logcheck/ignore.d.server/local-rules
-#     owner: root
-#     group: logcheck
-#     mode: u=rw,g=r,o=r
-
-- name: Configure timezone
-  timezone:
-    name: "{{timezone}}"
-
-- name: Configure ntp client and restart it
-  template:
-    src: ntp.conf.j2
-    dest: /etc/ntp.conf
-  notify:
-    - restart ntp
-    - restart cron
-
-- name: Set up exim4 conf
-  template:
-    src: update-exim4.conf.conf.j2
-    dest: /etc/exim4/update-exim4.conf.conf
-    owner: root
-    group: root
-    mode: 0644
-
-- name: Set up exim4 password file
-  template:
-    src: passwd.client.j2
-    dest: /etc/exim4/passwd.client
-    owner: root
-    group: Debian-exim
-    mode: 0640
-
-- name: Set up exim4 localmacros
-  template:
-    src: exim4.conf.localmacros.j2
-    dest: /etc/exim4/exim4.conf.localmacros
-    owner: root
-    group: root
-    mode: 0644
-  notify: restart exim4
-
-- name: Make fail2ban work with ufw
-  lineinfile:
-    dest: "{{item}}"
-    regexp: "^banaction"
-    line: "banaction = ufw"
-    state: present
-  with_items:
-    - /etc/fail2ban/jail.conf
-    - /etc/fail2ban/jail.local
-  notify:
-    - restart fail2ban

roles/common/templates/local-rules

@@ -1,241 +0,0 @@
-#Avahi daemon casues a lot of spam. Add rules for the following type of messages;
-#Feb  7 19:15:47 alias avahi-daemon[772]: Invalid query packet.
-#Feb  7 19:16:51 alias avahi-daemon[772]: last message repeated 5 times
-#Feb  7 19:35:46 alias avahi-daemon[772]: Invalid response packet from host 130.89.170.253.
-#Note that the next rule is ugly, but i'm not sure how to filter it otherwise (except stopping rsyslog from summaryzing)
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: last message repeated [0-9]+ time(s)?$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid query packet.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid response packet from host [[:alnum:]:.]+.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Received response from host [[:alnum:].]+ with invalid source port [0-9]+ on interface '[[:alnum:]:.]+'$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Registering new address record for [:0-9a-f]+ on [[:alnum:]]+\.\*.$
-#Remove like:
-#Feb  8 16:55:24 alias avahi-daemon[908]: Received response from host 130.89.164.246 with invalid source port 52031 on interface 'eth0.0'
-#Feb  8 16:55:23 alias avahi-daemon[908]: Invalid legacy unicast query packet.
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid legacy unicast query packet.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Received response with invalid source port [0-9]+ on interface '[[:alnum:].]+'$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid response packet.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]:.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron-apt: Get:
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron-apt: The following package was automatically installed and is no longer required:
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron-apt: Use 'apt-get autoremove' to remove it\.
-# Process accounting resumed
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] Process accounting resumed$
-# perf samples too long (KVM/X58/5 series chipset issue)
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] perf samples too long \([0-9]{3,5} > [0-9]{3,5}\), lowering kernel\.perf_event_max_sample_rate to [0-9]{3,5}$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] perf interrupt took too long \([0-9]{3,5} > [0-9]{3,5}\), lowering kernel\.perf_event_max_sample_rate to [0-9]{3,5}$
-# ext4 remounts
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] EXT4-fs \([a-zA-Z]{2,3}-[0-9]{1,2}\): re-mounted\. Opts: \(null\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] list passed to list_sort\(\) too long for efficiency$
-#Lines zoals:
-#Feb  6 17:21:26 alias ntpd[1030]: clock is now synced
-#Feb  6 17:39:54 alias ntpd[1030]: clock is now unsynced
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: clock is now synced$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: clock is now unsynced$
-#Allow NTPD to make small adjustments to the local clock without spam
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: adjusting local clock by (-)?[0-9].[0-9]+s$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: adjusting clock frequency by (-)?[0-9]\.[0-9]+ to (-)?[0-9]{0,2}\.[0-9]+ppm$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: skew change (-)?[0-9]+.[0-9]+ exceeds limit$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: peer [[:alnum:]:\.]{7,39} now (valid|invalid)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: reply from [[:alnum:]:\.]{7,39}: not synced( \(alarm\))?, next query [0-9]+s$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: reply from [[:alnum:]:\.]{7,39}: negative delay -0\.[0-9]+(, next query [0-9]+s)?$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: (message repeated [0-9]{1,3} times: \[ )?sendto: Network is unreachable(\])$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: peers refreshed$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: new interface\(s\) found: waking up resolver$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: Listen normally on [0-9]+ (eth|br)[0-9]+ [[:alnum:]:\.]{7,39} UDP [0-9]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: [[:alnum:]:\.]{7,39} interface [[:alnum:]:\.]{7,39} -> ([[:alnum:]:\.]{7,39}|\(none\))$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: Deleting interface \#[0-9]+ [[:alnum:]]{3,4}, [[:alnum:]:\.]{7,39}#[0-9]+, interface stats: received=[0-9]+, sent=[0-9=}, dropped=[0-9]+, active_time=[0-9]+ secs$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: [[:alnum:]]+: replace: header
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/pipe\[[[:digit:]]+\]:.+delivered via omvnotificationfilter service.+$
-
-#Ignore UDP connects to public community on localhost
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snmpd\[[0-9]+\]: Connection from UDP: \[127.0.0.1\]->\[127.0.0.1\]:-[0-9]+$
-# Logcheck rules for systemd, organized by component.
-
-# Automount
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Set up|Unset) automount .+\.$
-
-# Busname & Socket
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Closed|Listening on) .+\.$
-
-# Device
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Expecting device [^[:space:]]+\.device\.\.\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Found device [^[:space:]]+\.$
-
-# Device
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Successfully loaded the IMA custom policy [^[:space:]]+\.$
-
-# Job & Service & Unit
-# FIXME:  Don't want to match "Stopped \(with error\) .+\.$"
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Started|Stopped|Reloaded) .+\.$
-# FIXME:  Don't want to match "Starting of .+ not supported\.$"
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Stopping|Reloading) .+\.$
-
-# Log
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd(-[^[:space:]]+)?\[[[:digit:]]+\]: Received SIG[^[:space:]]+( from PID [[:digit:]]+ \([^[:space:]]+\))?\.$
-
-# Main
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Reexecuting|Reloading|Shutting down|Switching root)\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Detected architecture [^[:space:]]+\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Detected virtualization [^[:space:]]+\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: RTC configured in localtime, applying delta of -?[[:digit:]]+ minutes to system time\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Running in initial RAM disk\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: systemd [[:digit:]]+ running in (test )?system mode. \((\+[[:alnum:]]+ ?)+\)$
-
-# Manager
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Startup finished in [[:digit:]]+ms\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Time has been changed$
-
-# Mount
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Mounted|Unmounted) .+\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Mounting .+\.\.\.$
-
-# PAM
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [^[:space:]]+( by \(uid=[[:digit:]]+\))?$
-
-# SELinux
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Successfully loaded SELinux policy in [^[:space:]]+\.$
-
-# Smack
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Successfully loaded Smack(/CIPSO)? policies\.$
-
-# Slice
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Created|Removed) slice User Slice of .+\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Created|Removed) slice [^[:space:]]+\.slice\.$
-
-# Swap
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Activated|Deactivated) swap .+\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Activating swap .+\.\.\.$
-
-# Target
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Reached|Stopped) target .+\.$
-
-# Unit
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [^[:space:]]+: Unit is bound to inactive unit [^[:space:]]+\. Stopping, too\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [^[:space:]]+: Unit not needed anymore\. Stopping\.$
-
-# systemd-journald
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journald\[[[:digit:]]+\]: Received request to (flush|rotate) runtime journal from PID [[:digit:]]+$
-
-# systemd-logind
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [^[:space:]]+ of user [^[:space:]]+\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [^[:space:]]+\.$
-
-# systemd-sleep
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-sleep\[[[:digit:]]+\]: Suspending system\.\.\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-sleep\[[[:digit:]]+\]: System resumed\.$
-
-# systemd-timesyncd
-# Note:  Only required for systemd 218 and earlier due to
-#        https://bugs.freedesktop.org/show_bug.cgi?id=88926
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: interval/delta/delay/jitter/drift [[:digit:]]+s/(\+|-)[.[:digit:]]+s/-?[.[:digit:]]+s/-?[.[:digit:]]+s/(\+|-)[[:digit:]]+ppm( \(ignored\))?$
-
-# /etc/logcheck/ignore.d.server/local-rules
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[. [:digit:]]+\] perf samples too long \([[:digit:]]+ > [0-9]+\), lowering kernel.perf_event_max_sample_rate to [[:digit:]]+$
-ntpd\[[0-9]+\]: adjusting clock frequency by [0-9]+\.[0-9]+ to [0-9]+\.[0-9]+ppm
-ntpd\[[0-9]+\]: adjusting clock frequency by [0-9]+\.[0-9]+ to -[0-9]+\.[0-9]+ppm
-ntpd\[[0-9]+\]: adjusting clock frequency by -[0-9]+\.[0-9]+ to [0-9]+\.[0-9]+ppm
-ntpd\[[0-9]+\]: adjusting clock frequency by -[0-9]+\.[0-9]+ to -[0-9]+\.[0-9]+ppm
-ntpd\[[0-9]+\]: adjusting local clock by [-]*[0-9]+\.[0-9]+s
-ntpd\[[0-9]+\]: bad peer from pool [0-9]+.debian.pool.ntp.org
-ntpd\[[0-9]+\]: Soliciting pool server
-ntpd\[[0-9]+\]: [0-9]+ out of [0-9]+ peers valid
-ntpd\[[0-9]+\]: reply from [\.0-9]+: not synced, next query [0-9]+s
-auditd\[[0-9]+\]: Audit daemon rotating log files
-kernel\[[0-9]+\]: \[[0-9]+\.[0-9]+\] INFO: NMI handler (perf_event_nmi_handler) took too long to run: [0-9]+.[0-9]+ msecs
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[. [:digit:]]+\] hrtimer: interrupt took [[:digit:]]+ ns$
-rrdcached\[[0-9]+\]: Received FLUSHALL
-rrdcached\[[0-9]+\]: flushing old values
-rrdcached\[[0-9]+\]: removing old journal /var/lib/rrdcached/journal/rrd.journal.[0-9]+\.[0-9]+
-rrdcached\[[0-9]+\]: rotating journals
-rrdcached\[[0-9]+\]: started new journal /var/lib/rrdcached/journal/rrd.journal.[0-9]+\.[0-9]+
-systemd-logind\[[0-9]+\]: New session c[0-9]+ of user nobody.
-systemd-logind\[[0-9]+\]: New session [0-9]+ of user vagrant.
-systemd-logind\[[0-9]+\]: Removed session [0-9]+.
-systemd-logind\[[0-9]+\]: Removed session c[0-9]+.
-## suppress issues that arise with publicly available services that people try to exploit. https://gist.github.com/towo/9600375
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ::ffff:[\.0-9]+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]$
-#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]* from ([:.[:xdigit:]]+|UNKNOWN)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: invalid public DH value: <= 1 \[preauth\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: bad client public DH value \[preauth\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \([[:alpha:]]+,ssh-connection\) -> \([[:alpha:]]+,ssh-connection\) \[preauth\]$
-#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [\.0-9]+: 11: Bye Bye \[preauth\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: Goodbye \[preauth\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: PECL/ssh2 \(http://pecl.php.net/packages/ssh2\) \[preauth\]$
-##
-##dhclient\[[[:digit:]]+\]: DHCPREQUEST of [\.0-9]+ on eth0 to [\.0-9]+ port [0-9]+ (xid=0x[0-9a-f]+)
-#dhclient\[[0-9]+\]: DHCPREQUEST of [\.0-9]+ on eth0 to [\.0-9]+ port [0-9]+ (xid=0x[0-9a-f]+)
-sh\[[0-9]+\]: Generated new chapter thumbnails for
-sh\[[0-9]+\]: Warning: strange ID3v2 tag in
-sh\[[0-9]+\]: __code__:699: FutureWarning: The behavior of this method will change in future versions. Use specific 'len\(elem\)' or 'elem is not None' test instead.
-sh\[[0-9]+\]: self.processTRCK\( self.frameId, self.frameFlags, self.data \)
-sh\[[0-9]+\]: Got nothing for: Series None None
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Del
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Calculating upgrade\.\.\.
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT LINE:
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd-[0-9]+: action 'action 20' suspended, next retry is
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd-?[0-9]+: action 'action 20' resumed
-kernel: \[[0-9]+\.[0-9]+\] Peer .+ unexpectedly shrunk window .+ \(repaired\)
-openmediavault-update-smart-drivedb: Updating smartmontools .+ drive database \.\.\.
-cron-apt: The following packages were automatically installed and are no longer required:
-cron-apt: Use 'apt-get autoremove' to remove them\.
-openmediavault-webgui\[[[:digit:]]+\]: Authorized login from
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[.+\] kvm \[[0-9]+]: vcpu[0-9]+ unimplemented perfctr wrmsr:
-Exception AttributeError: "'ZipArchive' object has no attribute '_zip'" in
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[0-9]+\]: Timed out waiting for reply from
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[0-9]+\]: Using NTP server
-transmission-daemon\[[0-9]+\]: .+ which was just downloaded, failed its checksum test
-systemd[\[0-9\]+]: Failed to reset devices.list on /system\.slice: Invalid argument
-systemd[\[0-9\]+]: Failed to reset devices.list on /machine\.slice: Invalid argument
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd[0-9\-]+: action 'action [0-9]+' suspended, next retry is
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd[0-9\-]+: action 'action [0-9]+' resumed
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9\-]+\]: Connection closed by [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ port
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[0-9\-]+\]: .+\.timer: Adding .+ random time\.
-^\w{3} [ :0-9]{11} [. [:alnum:]-]+ liblogging-stdlog:.+rsyslogd was HUPed$
-^\w{3} [ :0-9]{11} [. [:alnum:]-]+ liblogging-stdlog:.+rsyslogd.+ exiting on signal.+$
-^\w{3} [ :0-9]{11} [. [:alnum:]-]+ liblogging-stdlog:.+rsyslogd.+ start$
-^\w{3} [ :0-9]{11} [. [:alnum:]-]+ liblogging-stdlog: warning.+action is deprecated, consider using the 'stop' statement instead.+$
-^\w{3} [ :0-9]{11} [. [:alnum:]-]+ sh\[[0-9]+\]: GUI:
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted (gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?: (RSA|ECDSA|ED25519) (SHA256:)?[/+:[:alnum:]]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: disconnect from
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ monit\[[0-9]+\]: .+ cpu user usage.+
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ monit\[[0-9]+\]: .+ loadavg.+ matches resource limit.+
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ monit\[[0-9]+\]: .+ loadavg.+ check succeeded.+
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: Stopping ftp server: proftpd.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: Starting ftp server: proftpd.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_[[:alnum:]]+\(su:session\): Cannot create session: Already running in a session$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupsrv: Login successful for admin from .+ via web interface
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupsrv: Client authentication failure for .+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Creating shadowcopy of "root" failed.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Token id for user.+not found$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Token id for group.+not found$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Error getting file type of.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Error getting extended attribute.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Error stating file .+ to get file tokens. Errno: 13$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: No LSB modules are available\.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from .+ disconnected by user$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnected from .+ port .+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/pipe\[[0-9]+\]: .+ delivered via omvnotificationfilter service.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: Watching system buttons on /dev/input/event.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Configuration file .+ is marked executable\. Please remove executable permission bits\. Proceeding anyway\.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]:.+source3/nmbd/nmbd_namequery\.c:.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]:.+query_name_response: Multiple \([0-9]+\) responses received for a query on subnet.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]:.+This response was from.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ansible-setup: Invoked with.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ansible-apt: Invoked with.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ansible-apt: \[WARNING\] Could not find aptitude\. Using apt-get instead\.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: Creating SSL connection to host
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: SSL connection using.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: Sent mail for.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[0-9\.]+\] \[UFW BLOCK\].+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [a-f0-9]+\[[0-9]+\]: t=.+ lvl=info msg=".+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Invalid user .+ from .+ port [0-9]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from .+ port [0-9]+.+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from .+ port [0-9]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Unable to negotiate with .+ port [0-9]+: no matching cipher found. Their offer: .+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Unable to negotiate with .+ port [0-9]+: no matching key exchange method found. Their offer: .+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Bad protocol version identification .+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Connection reset by .+$

roles/docker/tasks/main.yml

@@ -1,27 +1,50 @@
----
-- name: Ensure group "docker" exists
-  group:
-    name: docker
-    state: present
+- name: Install and configure Docker
+  tags: [docker]
+  become: true
+  block:
+    - name: Install Docker
+      include_role:
+        name: nickjj.docker
 
-- name: Ensure default user belongs also to docker group
-  user:
-    name: "{{default_username}}"
-    groups: docker
-    append: yes
+    - name: Ensure group "docker" existcs
+      group:
+        name: docker
+        state: present
 
-- name: Add rsyslog custom rules for Docker
-  copy:
-    src: templates/docker.conf
-    dest: /etc/rsyslog.d/docker.conf
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=r
+    - name: Ensure default user belongs also to docker group
+      user:
+        name: "{{ default_user }}"
+        groups: docker
+        append: yes
 
-- name: Add logrotate custom rules for Docker logs
-  copy:
-    src: templates/logrotate_docker
-    dest: /etc/logrotate.d/docker
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=r
+    - name: Add rsyslog custom rules for Docker
+      copy:
+        src: docker.conf
+        dest: /etc/rsyslog.d/docker.conf
+        owner: root
+        group: root
+        mode: u=rw,g=r,o=r
+
+    - name: Add logrotate custom rules for Docker logs
+      copy:
+        src: logrotate_docker
+        dest: /etc/logrotate.d/docker
+        owner: root
+        group: root
+        mode: u=rw,g=r,o=r
+
+- name: Run a demo Nginx container
+  tags: [docker]
+  block:
+    - name: Install Docker Python SDK
+      pip:
+        name: docker
+
+    - name: Run nginxdemos/nginx-hello
+      community.docker.docker_container:
+        name: nginx-hello
+        image: nginxdemos/nginx-hello
+        state: started
+        restart: yes
+        ports:
+          - 8080:8080

roles/go/tasks/main.yml

@@ -0,0 +1,28 @@
+- name: Install and configure GO
+  tags: go
+  become: true
+  # become_user: "{{ default_user }}"
+  block:
+    - name: Install and configure GO
+      include_role:
+        name: fubarhouse.golang
+      vars:
+        GOPATH: "{{ default_user_home }}/go"
+
+    - name: Set permissions on GOPATH
+      file:
+        path: "{{ default_user_home }}/go"
+        state: directory
+        recurse: true
+        owner: "{{ default_user }}"
+        group: "{{ default_user_group }}"
+
+- name: Install Go Version Manager
+  tags: go
+  become: true
+  become_user: "{{ default_user }}"
+  block:
+    - name: install GVM
+      command: sh < <(curl -s -S -L https://raw.githubusercontent.com/moovweb/gvm/master/binscripts/gvm-installer)
+      args:
+        creates: "{{ default_user_home }}/.gvm"

roles/mac/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Tasks for configuring MacOS
+  tags: [mac]
+  block:
+    - name: Get default user home
+      user:
+        name: "{{ default_user }}"
+        state: present
+      register: default_user_details
+    - name: Set default user home
+      set_fact:
+        default_user_home: "{{ default_user_details.home }}"
+    - name: print home dir on mac
+      debug:
+        var: default_user_home
+    - name: Install command line tools
+      include_role:
+        name: elliotweiser.osx-command-line-tools
+    - name: Install and configure Homebrew
+      include_role:
+        name: geerlingguy.homebrew
+...

roles/networking/tasks/main.yml

@@ -1,17 +0,0 @@
----
-- name: Configure /etc/network/interfaces
-  template:
-    src: "{{interfaces_template}}"
-    dest: /etc/network/interfaces
-  register: _configure_interfaces
-
-- block:
-  - name: Reboot for networking changes
-    shell: "sleep 5 && shutdown -r now 'Networking changes found, rebooting'"
-    async: 1
-    poll: 0
-
-  - name: Wait for server to come back online
-    wait_for_connection:
-        delay: 15
-    when: _configure_interfaces is changed

roles/networking/templates/interfaces-dhcp-server.j2

@@ -1,9 +0,0 @@
-# The loopback network interface
-auto lo
-iface lo inet loopback
-
-# eth0 network interface
-auto eth0
-allow-hotplug eth0
-iface eth0 inet dhcp
-    dns-search server

roles/npm/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Install and configure npm/nvm/yarn
+  tags: npm
+  become: true
+  become_user: "{{ default_user }}"
+  block:
+    - name: Install nvm
+      shell: "curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/{{ nvm_version }}/install.sh | bash"
+      args:
+        creates: "{{ default_user_home }}/.nvm/nvm.sh"
+
+    - name: Install latest node/npm
+      shell: "source {{ default_user_home }}/.nvm/nvm.sh && nvm install node"
+      args:
+        executable: /bin/bash
+
+    - name: Activate latest version
+      shell: "source {{ default_user_home }}/.nvm/nvm.sh && nvm use node"
+      args:
+        executable: /bin/bash
+
+    - name: Install Yarn
+      shell: "source {{ default_user_home }}/.nvm/nvm.sh && npm install -g yarn"
+      args:
+        executable: /bin/bash

roles/python/tasks/main.yml

@@ -0,0 +1,41 @@
+- name: Install and configure Python + tools
+  tags: python
+  become: true
+  become_user: "{{ default_user }}"
+  block:
+    - name: Install Pyenv
+      shell: curl https://pyenv.run | zsh
+      args:
+        creates: "{{ default_user_home }}/.pyenv/bin/pyenv"
+      environment:
+        PYENV_ROOT: "{{ default_user_home }}/.pyenv"
+
+    - name: Install Pyenv version of Python
+      shell: "{{ default_user_home }}/.pyenv/bin/pyenv install {{ pyenv_python_version }}"
+      args:
+        creates: "{{ default_user_home }}/.pyenv/versions/{{ pyenv_python_version }}/bin/python"
+      when: install_pyenv_python
+
+    - name: Install pipx
+      command: python3 -m pip install pipx --user
+      args:
+        creates: "{{ default_user_home }}/.local/bin/pipx"
+
+    - name: Install pipx packages
+      shell: "{{ default_user_home }}/.local/bin/pipx install {{ item }} --force --include-deps"
+      loop: "{{ pipx_packages }}"
+
+    - name: Install Poetry
+      shell: curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python3
+      args:
+        creates: "{{ default_user_home }}/.poetry/bin/poetry"
+
+    - name: Install Poetry plugin for oh-my-zsh
+      shell: |
+        mkdir {{ default_user_home }}/.oh-my-zsh/custom/plugins/poetry
+        {{ default_user_home }}/.poetry/bin/poetry completions zsh > {{ default_user_home }}/.oh-my-zsh/custom/plugins/poetry/_poetry
+      args:
+        creates: "{{ default_user_home }}/.oh-my-zsh/custom/plugins/poetry"
+
+    - name: Configure Poetry
+      command: "{{ default_user_home }}/.poetry/bin/poetry config virtualenvs.in-project true"

roles/reboot/tasks/main.yml

@@ -1,12 +0,0 @@
----
-- name: Reboot machine to finalize setup
-  shell: "sleep 5 && reboot"
-  async: 1
-  poll: 0
-
-- name: Wait for the reboot to complete
-  wait_for_connection:
-    connect_timeout: 20
-    sleep: 5
-    delay: 5
-    timeout: 300

roles/rust/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Install and configure Rust
+  tags: rust
+  become: true
+  become_user: "{{ default_user }}"
+  block:
+    - name: Install Rust toolchain
+      shell: curl https://sh.rustup.rs -sSf | sh -s -- -y
+      args:
+        creates: "{{ default_user_home }}/.cargo/bin/rustup"
+      environment:
+        RUSTUP_HOME: "{{ default_user_home }}/.rustup"
+        CARGO_HOME: "{{ default_user_home }}/.cargo"
+
+    - name: Install base rust programs
+      shell: "{{ default_user_home }}/.cargo/bin/cargo install {{ item }}"
+      loop: "{{ cargo_packages }}"
+      when: install_cargo_packages

roles/setup/files/11-neofetch

@@ -0,0 +1,2 @@
+#!/bin/sh
+neofetch

roles/setup/tasks/main.yml

@@ -0,0 +1,134 @@
+- name: Initial server setup
+  tags: [setup]
+  block:
+    - name: Create default user
+      user:
+        name: "{{ default_user }}"
+        password: "{{ default_user_password | password_hash('sha512') }}"
+        groups: sudo
+        create_home: yes
+        shell: /bin/zsh
+        generate_ssh_key: yes
+        ssh_key_bits: 2048
+        ssh_key_file: .ssh/id_rsa
+        update_password: always
+        state: present
+
+    - name: Ensure sudo group has passwordless sudo privileges
+      lineinfile:
+        dest: /etc/sudoers
+        state: present
+        regexp: "^%sudo"
+        line: "%sudo ALL=(ALL) NOPASSWD:ALL"
+        validate: "/usr/sbin/visudo -cf %s"
+
+    - name: Upgrade apt packages
+      apt:
+        update_cache: yes
+        upgrade: full
+
+    - name: Install apt packages
+      apt:
+        name: "{{ packages_to_install }}"
+
+    - name: Add Debian backports
+      include_role:
+        name: jnv.debian-backports
+
+    - name: Add unattended-upgrades
+      include_role:
+        name: jnv.unattended-upgrades
+
+    - name: Install mozilla/sops
+      get_url:
+        url: https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux
+        dest: /usr/bin/sops
+        mode: "0755"
+        owner: root
+        group: root
+
+    - name: Enable dm_crypt module
+      modprobe:
+        name: dm_crypt
+        state: present
+
+    - name: Enable compress on logrotate
+      lineinfile:
+        dest: /etc/logrotate.conf
+        regexp: "^#?compress"
+        line: "compress"
+        state: present
+
+    - name: Configure timezone
+      timezone:
+        name: "{{ timezone }}"
+
+    - name: Configure ntp client and restart it
+      template:
+        src: ntp.conf.j2
+        dest: /etc/ntp.conf
+      notify:
+        - restart ntp
+        - restart cron
+
+    # - name: Set up exim4 conf
+    #   template:
+    #     src: update-exim4.conf.conf.j2
+    #     dest: /etc/exim4/update-exim4.conf.conf
+    #     owner: root
+    #     group: root
+    #     mode: 0644
+
+    # - name: Set up exim4 password file
+    #   template:
+    #     src: passwd.client.j2
+    #     dest: /etc/exim4/passwd.client
+    #     owner: root
+    #     group: Debian-exim
+    #     mode: 0640
+
+    # - name: Set up exim4 localmacros
+    #   copy:
+    #     src: exim4.conf.localmacros
+    #     dest: /etc/exim4/exim4.conf.localmacros
+    #     owner: root
+    #     group: root
+    #     mode: 0644
+    #   notify: restart exim4
+
+    # - name: Set up FROM addresses
+    #   template:
+    #     src: email-addresses.j2
+    #     dest: /etc/email-addresses
+    #     owner: root
+    #     group: root
+    #     mode: 0644
+    #   notify: restart exim4
+
+    - name: Make fail2ban work with ufw
+      lineinfile:
+        dest: "{{ item }}"
+        regexp: "^banaction"
+        line: "banaction = ufw"
+        state: present
+      with_items:
+        - /etc/fail2ban/jail.conf
+        - /etc/fail2ban/jail.local
+      notify:
+        - restart fail2ban
+
+    - name: Add neofetch to motd
+      copy:
+        src: 11-neofetch
+        dest: /etc/update-motd.d/11-neofetch
+        owner: root
+        group: root
+        mode: 0755
+
+    - name: Remove default motd messages
+      file:
+        path: "{{ item }}"
+        state: absent
+      with_items:
+        - /etc/update-motd.d/00-header
+        - /etc/update-motd.d/10-help-text

roles/setup/templates/email-addresses.j2

@@ -0,0 +1,2 @@
+root: "{{ smtp_mail_from }}"
+{{ default_user }}: "{{ smtp_mail_from }}"

roles/setup/templates/ntp.conf.j2

@@ -1,6 +1,6 @@
 driftfile /var/lib/ntp/drift
 
-restrict 127.0.0.1 
+restrict 127.0.0.1
 restrict -6 ::1
 
 restrict source notrap nomodify noquery

roles/shell/files/.tmux.conf

@@ -0,0 +1,45 @@
+######################
+### DESIGN CHANGES ###
+######################
+
+# 256 colours
+set -g default-terminal "screen-256color"
+
+# loud or quiet?
+set -g visual-activity both
+set -g visual-bell both
+set -g visual-silence off
+setw -g monitor-activity off
+set -g bell-action other
+
+#  modes
+setw -g clock-mode-colour colour9
+setw -g mode-style 'fg=colour1 bg=colour18 bold'
+
+# panes (when splitting)
+set -g pane-border-style 'fg=colour3 bg=colour0'
+set -g pane-active-border-style 'bg=colour0 fg=colour7'
+
+# statusbar
+set -g status-position bottom
+set -g status-justify left
+# bar across the bottom (blank)
+set -g status-style 'bg=colour3 fg=colour137 dim'
+set -g status-left ''
+# date + time fg=font, bg=background
+set -g status-right '#[fg=colour253,bg=colour15] %d/%m #[fg=colour253,bg=colour15] %H:%M:%S '
+set -g status-right-length 50
+set -g status-left-length 20
+
+# current window (tabs on bottom left)
+setw -g window-status-current-style 'fg=colour253 bg=colour15 bold'
+setw -g window-status-current-format ' #I#[fg=colour249]:#[fg=colour255]#W#[fg=colour249]#F '
+
+# inactive windows (tabs on bottom left)
+setw -g window-status-style 'fg=colour253 bg=colour16'
+setw -g window-status-format ' #I#[fg=colour237]:#[fg=colour250]#W#[fg=colour244]#F '
+
+setw -g window-status-bell-style 'fg=colour255 bg=colour1 bold'
+
+# messages
+set -g message-style 'fg=colour232 bg=colour3 bold'

roles/shell/tasks/main.yml

@@ -0,0 +1,158 @@
+---
+- name: Configure shell for default user
+  tags: shell
+  become: true
+  become_user: "{{ default_user }}"
+  block:
+    - name: Get default user home
+      getent:
+        database: passwd
+        key: "{{ default_user }}"
+        split: ":"
+      when: target_system == "linux"
+
+    - name: Set default user home
+      set_fact:
+        default_user_home: "{{ getent_passwd[default_user][4] }}"
+      when: target_system == "linux"
+
+    - name: Install and configure default user environment
+      become: true
+      become_user: "{{ default_user }}"
+      block:
+        - name: Install .tmux.conf to default user
+          copy:
+            src: .tmux.conf
+            dest: "{{ default_user_home }}/.tmux.conf"
+            owner: "{{ default_user }}"
+            group: "{{ default_user_group }}"
+            force: yes
+            mode: 0644
+
+        - name: Create temporary install directory
+          tempfile:
+            path: "{{ default_user_home }}"
+            state: directory
+            suffix: .tmp
+          register: temp_install_dir
+          changed_when: false
+
+        - name: Download oh-my-zsh
+          get_url:
+            url: https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh
+            dest: "{{ temp_install_dir.path }}"
+            mode: 0777
+
+        - name: Install oh-my-zsh
+          shell: "sh {{ temp_install_dir.path }}/install.sh --unattended"
+          args:
+            creates: "{{ default_user_home }}/.oh-my-zsh"
+
+        - name: Install powerlevel10k theme
+          git:
+            repo: "https://gitee.com/romkatv/powerlevel10k.git"
+            version: master
+            dest: "{{ default_user_home }}/.oh-my-zsh/custom/themes/powerlevel10k"
+            depth: 1
+
+        - name: Install zsh-syntax-highlighting
+          git:
+            repo: "https://github.com/zsh-users/zsh-syntax-highlighting.git"
+            version: master
+            dest: "{{ default_user_home }}/.zsh/zsh-syntax-highlighting"
+            clone: yes
+            update: yes
+
+        - name: Install zsh-autosuggestions
+          git:
+            repo: https://github.com/zsh-users/zsh-autosuggestions
+            version: master
+            dest: "{{ default_user_home }}/.zsh/zsh-autosuggestions"
+            clone: yes
+            update: yes
+
+        - name: Install .zshrc to default user
+          template:
+            src: .zshrc.j2
+            dest: "{{ default_user_home }}/.zshrc"
+            owner: "{{ default_user }}"
+            group: "{{ default_user_group }}"
+            force: yes
+            mode: 0644
+
+        - name: Install .p10k.zsh to default user
+          copy:
+            src: .p10k.zsh
+            dest: "{{ default_user_home }}/.p10k.zsh"
+            owner: "{{ default_user }}"
+            group: "{{ default_user_group }}"
+            force: yes
+            mode: 0644
+
+- name: Configure shell for root user
+  tags: shell
+  become: true
+  block:
+    - name: Get root home
+      user:
+        name: root
+        state: present
+        shell: /bin/zsh
+      register: root_user_details
+
+    - name: Set root home
+      set_fact:
+        root_user_home: "{{ root_user_details.home }}"
+
+    - name: Print root user home
+      debug:
+        var: root_user_home
+
+    - name: Install .tmux.conf to root user
+      copy:
+        src: .tmux.conf
+        dest: "{{ root_user_home }}/.tmux.conf"
+        force: yes
+        mode: 0644
+
+    - name: Create temporary root install directory
+      tempfile:
+        path: "{{ root_user_home }}"
+        state: directory
+        suffix: .tmp
+      register: temp_install_dir_root
+      changed_when: false
+
+    - name: Download oh-my-zsh
+      get_url:
+        url: https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh
+        dest: "{{ temp_install_dir_root.path }}"
+        mode: 0777
+
+    - name: Install oh-my-zsh
+      shell: "sh {{ temp_install_dir_root.path }}/install.sh --unattended"
+      args:
+        creates: "{{ root_user_home }}/.oh-my-zsh"
+
+    - name: Install zsh-syntax-highlighting
+      git:
+        repo: "https://github.com/zsh-users/zsh-syntax-highlighting.git"
+        version: master
+        dest: "{{ root_user_home }}/.zsh/zsh-syntax-highlighting"
+        clone: yes
+        update: yes
+
+    - name: Install zsh-autosuggestions
+      git:
+        repo: https://github.com/zsh-users/zsh-autosuggestions
+        version: master
+        dest: "{{ root_user_home }}/.zsh/zsh-autosuggestions"
+        clone: yes
+        update: yes
+
+    - name: Install .zshrc to root user
+      template:
+        src: .zshrc.root.j2
+        dest: "{{ root_user_home }}/.zshrc"
+        force: yes
+        mode: 0644

roles/shell/templates/.zshrc.j2

@@ -0,0 +1,224 @@
+# Enable Powerlevel10k instant prompt. Should stay close to the top of ~/.zshrc.
+# Initialization code that may require console input (password prompts, [y/n]
+# confirmations, etc.) must go above this block; everything else may go below.
+if [[ -r "${XDG_CACHE_HOME:-$HOME/.cache}/p10k-instant-prompt-${(%):-%n}.zsh" ]]; then
+  source "${XDG_CACHE_HOME:-$HOME/.cache}/p10k-instant-prompt-${(%):-%n}.zsh"
+fi
+
+# If you come from bash you might have to change your $PATH.
+# export PATH=$HOME/bin:/usr/local/bin:$PATH
+
+# Path to your oh-my-zsh installation.
+export ZSH="$HOME/.oh-my-zsh"
+
+ZSH_THEME="powerlevel10k/powerlevel10k"
+
+# Set list of themes to pick from when loading at random
+# Setting this variable when ZSH_THEME=random will cause zsh to load
+# a theme from this variable instead of looking in ~/.oh-my-zsh/themes/
+# If set to an empty array, this variable will have no effect.
+# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
+
+# Uncomment the following line to use case-sensitive completion.
+# CASE_SENSITIVE="true"
+
+# Uncomment the following line to use hyphen-insensitive completion.
+# Case-sensitive completion must be off. _ and - will be interchangeable.
+# HYPHEN_INSENSITIVE="true"
+
+# Uncomment the following line to disable bi-weekly auto-update checks.
+# DISABLE_AUTO_UPDATE="true"
+
+# Uncomment the following line to automatically update without prompting.
+# DISABLE_UPDATE_PROMPT="true"
+
+# Uncomment the following line to change how often to auto-update (in days).
+# export UPDATE_ZSH_DAYS=13
+
+# Uncomment the following line if pasting URLs and other text is messed up.
+# DISABLE_MAGIC_FUNCTIONS=true
+
+# Uncomment the following line to disable colors in ls.
+# DISABLE_LS_COLORS="true"
+
+# Uncomment the following line to disable auto-setting terminal title.
+# DISABLE_AUTO_TITLE="true"
+
+# Uncomment the following line to enable command auto-correction.
+# ENABLE_CORRECTION="true"
+
+# Uncomment the following line to display red dots whilst waiting for completion.
+# COMPLETION_WAITING_DOTS="true"
+
+# Uncomment the following line if you want to disable marking untracked files
+# under VCS as dirty. This makes repository status check for large repositories
+# much, much faster.
+# DISABLE_UNTRACKED_FILES_DIRTY="true"
+
+# Uncomment the following line if you want to change the command execution time
+# stamp shown in the history command output.
+# You can set one of the optional three formats:
+# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
+# or set a custom format using the strftime function format specifications,
+# see 'man strftime' for details.
+# HIST_STAMPS="mm/dd/yyyy"
+
+# Would you like to use another custom folder than $ZSH/custom?
+# ZSH_CUSTOM=/path/to/new-custom-folder
+
+# Which plugins would you like to load?
+# Standard plugins can be found in ~/.oh-my-zsh/plugins/*
+# Custom plugins may be added to ~/.oh-my-zsh/custom/plugins/
+# Example format: plugins=(rails git textmate ruby lighthouse)
+# Add wisely, as too many plugins slow down shell startup.
+plugins=(
+    git
+    sudo
+    colored-man-pages
+    copydir
+    cp
+    jump
+    tmux
+    docker
+    docker-compose
+    poetry
+)
+
+source $ZSH/oh-my-zsh.sh
+
+# User configuration
+
+# export MANPATH="/usr/local/man:$MANPATH"
+
+# You may need to manually set your language environment
+# export LANG=en_US.UTF-8
+
+# Preferred editor for local and remote sessions
+# if [[ -n $SSH_CONNECTION ]]; then
+#   export EDITOR='vim'
+# else
+#   export EDITOR='mvim'
+# fi
+
+# Compilation flags
+# export ARCHFLAGS="-arch x86_64"
+
+# Set personal aliases, overriding those provided by oh-my-zsh libs,
+# plugins, and themes. Aliases can be placed here, though oh-my-zsh
+# users are encouraged to define aliases within the ZSH_CUSTOM folder.
+# For a full list of active aliases, run `alias`.
+#
+# Example aliases
+# alias zshconfig="mate ~/.zshrc"
+# alias ohmyzsh="mate ~/.oh-my-zsh"
+
+
+HISTSIZE=50000
+SAVEHIST=10000
+setopt extended_history
+setopt hist_expire_dups_first
+setopt hist_ignore_dups
+setopt hist_ignore_space
+setopt inc_append_history
+setopt share_history
+
+# Changing directories
+setopt auto_cd
+setopt auto_pushd
+unsetopt pushd_ignore_dups
+setopt pushdminus
+
+# Completion
+setopt auto_menu
+setopt always_to_end
+setopt complete_in_word
+unsetopt flow_control
+unsetopt menu_complete
+zstyle ':completion:*:*:*:*:*' menu select
+zstyle ':completion:*' matcher-list 'm:{a-zA-Z-_}={A-Za-z_-}' 'r:|=*' 'l:|=* r:|=*'
+zstyle ':completion::complete:*' use-cache 1
+zstyle ':completion::complete:*' cache-path $ZSH_CACHE_DIR
+zstyle ':completion:*' list-colors ''
+zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#) ([0-9a-z-]#)*=01;34=0=01'
+
+# Other
+setopt prompt_subst
+
+################################################################
+# ZSH                                                          #
+################################################################
+
+source ~/.zsh/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+source ~/.zsh/zsh-autosuggestions/zsh-autosuggestions.zsh
+
+# To customize prompt, run `p10k configure` or edit ~/.p10k.zsh.
+[[ ! -f ~/.p10k.zsh ]] || source ~/.p10k.zsh
+
+################################################################
+# ALIASES                                                      #
+################################################################
+alias ls="exa"
+alias ll="exa -l"
+alias pbat="bat -Pp"
+alias vsource="source .venv/bin/activate"
+alias size='du -c -h -d 1 | sort -h'
+
+################################################################
+# PATH                                                         #
+################################################################
+export PATH=/usr/sbin:$PATH
+export PATH="$PATH:$HOME/.local/bin"
+
+################################################################
+# PYTHON                                                       #
+################################################################
+# Pyenv
+export PATH="$HOME/.pyenv/bin:$PATH"
+eval "$(pyenv init --path)"
+eval "$(pyenv virtualenv-init -)"
+
+# Pipx
+export PIPX_DEFAULT_PYTHON="$HOME/.pyenv/shims/python3"
+autoload -U bashcompinit
+bashcompinit
+eval "$(register-python-argcomplete pipx)"
+
+# Poetry
+export PATH="$HOME/.poetry/bin:$PATH"
+
+################################################################
+# RUST                                                         #
+################################################################
+source "$HOME/.cargo/env"
+
+################################################################
+# GO                                                           #
+################################################################
+export GOBIN="$HOME/go/bin"
+export PATH="/usr/local/go/bin:$HOME/go/bin:$PATH"
+
+# GVM
+[[ -s "$HOME/.gvm/scripts/gvm" ]] && source "$HOME/.gvm/scripts/gvm"
+
+################################################################
+# NVM                                                          #
+################################################################
+export NVM_DIR="$([ -z "${XDG_CONFIG_HOME-}" ] && printf %s "${HOME}/.nvm" || printf %s "${XDG_CONFIG_HOME}/nvm")"
+[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm
+
+################################################################
+# APPS                                                         #
+################################################################
+# AWS
+complete -C "$HOME/.local/bin/aws_completer" aws
+
+# TFEnv
+export PATH="$PATH:$HOME/.tfenv/bin"
+
+# VSCode
+export PATH="$PATH:/usr/local/bin"
+
+################################################################
+# LEGACY                                                       #
+################################################################
+# export EDITOR="/usr/local/bin/subl -w"

roles/shell/templates/.zshrc.root.j2

@@ -0,0 +1,82 @@
+# Path to your oh-my-zsh installation.
+export ZSH="$HOME/.oh-my-zsh"
+
+ZSH_THEME="agnoster"
+
+# Which plugins would you like to load?
+# Standard plugins can be found in ~/.oh-my-zsh/plugins/*
+# Custom plugins may be added to ~/.oh-my-zsh/custom/plugins/
+# Example format: plugins=(rails git textmate ruby lighthouse)
+# Add wisely, as too many plugins slow down shell startup.
+plugins=(
+    git
+    sudo
+    colored-man-pages
+    copydir
+    cp
+    jump
+    tmux
+    docker
+    docker-compose
+)
+
+ZSH_DISABLE_COMPFIX="true"
+source $ZSH/oh-my-zsh.sh
+
+HISTSIZE=50000
+SAVEHIST=10000
+setopt extended_history
+setopt hist_expire_dups_first
+setopt hist_ignore_dups
+setopt hist_ignore_space
+setopt inc_append_history
+setopt share_history
+
+# Changing directories
+setopt auto_cd
+setopt auto_pushd
+unsetopt pushd_ignore_dups
+setopt pushdminus
+
+# Completion
+setopt auto_menu
+setopt always_to_end
+setopt complete_in_word
+unsetopt flow_control
+unsetopt menu_complete
+zstyle ':completion:*:*:*:*:*' menu select
+zstyle ':completion:*' matcher-list 'm:{a-zA-Z-_}={A-Za-z_-}' 'r:|=*' 'l:|=* r:|=*'
+zstyle ':completion::complete:*' use-cache 1
+zstyle ':completion::complete:*' cache-path $ZSH_CACHE_DIR
+zstyle ':completion:*' list-colors ''
+zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#) ([0-9a-z-]#)*=01;34=0=01'
+
+# Other
+setopt prompt_subst
+
+################################################################
+# ZSH                                                          #
+################################################################
+
+source ~/.zsh/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+source ~/.zsh/zsh-autosuggestions/zsh-autosuggestions.zsh
+
+################################################################
+# ALIASES                                                      #
+################################################################
+alias ls="exa"
+alias ll="exa -l"
+alias pbat="bat -Pp"
+alias vsource="source .venv/bin/activate"
+alias size='du -c -h -d 1 | sort -h'
+
+################################################################
+# PATH                                                         #
+################################################################
+export PATH="$PATH:/usr/sbin"
+export PATH="$HOME/.local/bin:$PATH"
+
+################################################################
+# RUST                                                         #
+################################################################
+export PATH="{{ default_user_home }}/.cargo/bin:$PATH"

roles/ssh/tasks/main.yml

@@ -1,34 +1,19 @@
 ---
-- name: Remove any PermitRootLogin instruction
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^PermitRootLogin"
-    state: absent
-  notify: restart ssh
+- name: Configure SSH access
+  tags: [ssh]
+  become: true
+  block:
+    - name: Remove any PermitRootLogin instruction
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^PermitRootLogin"
+        state: absent
+      notify: restart ssh
 
-- name: Disable SSH root login
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^PermitRootLogin"
-    line: "PermitRootLogin prohibit-password"
-    state: present
-  notify: restart ssh
-
-- name: Disable password authentication
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^#?PasswordAuthentication"
-    line: "PasswordAuthentication no"
-    state: present
-  notify: restart ssh
-
-- name: Set SSH port
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^Port"
-    line: "Port {{sshd_port}}"
-    state: present
-  notify: restart ssh
-
-- name: Test
-  lineinfile
+    - name: Disable SSH root login
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^PermitRootLogin"
+        line: "PermitRootLogin prohibit-password"
+        state: present
+      notify: restart ssh

roles/terraform/tasks/main.yml

@@ -0,0 +1,19 @@
+- name: Install and configure Terraform
+  tags: terraform
+  become: true
+  become_user: "{{ default_user }}"
+  block:
+    - name: Install tfenv
+      git:
+        repo: https://github.com/tfutils/tfenv.git
+        version: master
+        dest: "{{ default_user_home }}/.tfenv"
+        depth: 1
+
+    - name: Install latest version of Terraform
+      shell: "{{ default_user_home }}/.tfenv/bin/tfenv install latest"
+      args:
+        creates: "{{ default_user_home }}/.tfenv/version"
+
+    - name: Use latest version of Terraform
+      shell: "{{ default_user_home }}/.tfenv/bin/tfenv use latest"

roles/ufw/handlers/main.yml

@@ -1,4 +0,0 @@
----
-- name: reload ufw
-  ufw:
-    state: reloaded

roles/ufw/tasks/main.yml

@@ -1,18 +0,0 @@
----
-- name: Apply custom connection ufw rules
-  ufw: rule="{{item.rule}}" port="{{item.port}}" src="{{item.src}}" proto="{{item.proto}}" direction="{{item.direction}}"
-  with_items: "{{ufw_rules}}"
-
-#- name: Limit SSH connection rate
-#  ufw: rule=limit port=22 proto=tcp
-
-- name: Deny all incoming connections
-  ufw: "direction=incoming policy=reject"
-
-- name: Enable logging
-  ufw:
-    logging: on
-
-- name: Enable firewall
-  ufw: state=enabled
-  notify: reload ufw

roles/user/tasks/main.yml

@@ -1,91 +0,0 @@
----
-- name: Update default user, belonging to sudo group
-  user:
-    name: "{{default_username}}"
-    password: "{{default_password | password_hash('sha512')}}"
-    groups: sudo
-    create_home: yes
-    shell: /bin/bash
-    generate_ssh_key: yes
-    ssh_key_bits: 2048
-    ssh_key_file: .ssh/id_rsa
-    update_password: always
-    state: present
-
-- name: Ensure sudo group has sudo privileges without password
-  lineinfile:
-    dest: /etc/sudoers
-    state: present
-    regexp: "^%sudo"
-    line: "%sudo ALL=(ALL) NOPASSWD:ALL"
-    validate: "/usr/sbin/visudo -cf %s"
-
-# copy local files to remote
-- name: Install .forward file in users' folders
-  template:
-    src: dot.forward.j2
-    dest: "{{item}}/.forward"
-    owner: "{{default_username}}"
-    group: "{{default_username}}"
-  with_items:
-    - "/root"
-    - "/home/{{default_username}}"
-
-- name: Clone dotfiles repository
-  become_user: "{{item.user}}"
-  git:
-    repo: "https://github.com/olivomarco/dotfiles.git"
-    version: master
-    dest: "{{item.path}}"
-    accept_hostkey: yes
-    clone: yes
-    update: yes
-  with_items:
-    - {user: "{{default_username}}", path: "/home/{{default_username}}/dotfiles"}
-    - {user: "root", path: "/root/dotfiles"}
-
-# - name: Run dotfiles/setup/setup-user.sh for {{item.user}}
-#   become_user: "{{item.user}}"
-#   shell: "{{item.path}}/setup/setup-user.sh"
-#   with_items:
-#     - {user: "{{default_username}}", path: "/home/{{default_username}}/dotfiles"}
-#     - {user: "root", path: "/root/dotfiles"}
-
-- name: Change owner of dotfiles in {{default_username}} folder
-  file:
-    path: "/home/{{default_username}}/dotfiles"
-    owner: "{{default_username}}"
-    group: "{{default_username}}"
-    recurse: yes
-
-# other setup
-- name: Assign public ssh key to a variable
-  shell: cat /home/{{default_username}}/{{public_key}}
-  register: ssh_public_key
-
-- name: Add default username's public SSH key to its authorized_keys file
-  lineinfile:
-    dest: "/home/{{default_username}}/.ssh/authorized_keys"
-    line: "{{ssh_public_key.stdout}}"
-    state: present
-    create: yes
-
-- name: Change root password
-  user:
-    name: root
-    password: "{{root_password | password_hash('sha512')}}"
-    update_password: always
-
-- name: chsh to /usr/bin/zsh for default user and root
-  user:
-    name: "{{item}}"
-    shell: /usr/bin/zsh
-  with_items:
-    - "{{default_username}}"
-    - "root"
-
-- debug:
-    msg: "user '{{default_username}}' generated password: {{default_password}}"
-
-- debug:
-    msg: "user 'root' generated password: {{root_password}}"

roles/user/templates/dot.forward.j2

@@ -1 +0,0 @@
-{{dot_forward_email}}

tasks.todo

@@ -0,0 +1,37 @@
+Tasks:
+    ☐ Configure nebula
+    ☐ Add the user path to `/etc/sudoers` file
+        https://docs.ansible.com/ansible/latest/collections/ansible/builtin/lineinfile_module.html
+        `^Defaults\s*secure_path\=\"`
+    ✔ Change MOTD to include Neofetch @done(21-03-09 17:58)
+
+    ✔ Add a simplified zsh setup with Agnoster for root user @done(21-03-07 23:08)
+
+    Done:
+    ✔ Add node + node manager (plus yarn) @done(21-03-09 17:40)
+    ✔ Create initial folder layout @started(21-02-28 23:29) @done(21-03-03 14:30) @lasted(2d15h1m16s)
+    ✔ Create test playbook with a task @done(21-03-01 00:16)
+    ✔ Document creating a hosts file, and an `ansible.cfg` to create an inventory @done(21-03-01 00:07)
+        https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html
+        Alternative to using an `ansible.cfg` is using the flag `-i hosts`
+        Hosts file can contain `ansible_user` and `ansible_ssh_pass` under a `vars` header
+    ✔ Test a connection with `ansible all -m ping` @done(21-03-01 00:08)
+    ✔ Document commands @done(21-03-03 14:30)
+        Run a playbook with `ansible-playbook -b test.yml`
+        If using vault do `--ask-vault-pass`
+        Point to an inventory with `-i hosts`
+    ✔ Still to configure: @done(21-03-04 13:08)
+        ✔ Monit @done(21-03-04 13:08)
+        ✔ UFW @done(21-03-04 12:57)
+        ✔ Networking @done(21-03-04 12:59)
+    ✔ Configure /etc/email-addresses with from addresses for root and default_user @done(21-03-04 12:57)
+        https://serverfault.com/questions/377821/exim-send-every-emails-with-a-predefined-sender
+
+Mac:
+    Mac functionality needs adding
+    Done:
+        ✔ https://github.com/elliotweiser/ansible-osx-command-line-tools @done(21-03-05 22:02)
+        ✔ Add tag/variable to toggle between server/mac setup @started(21-03-05 22:01) @done(21-03-05 22:02) @lasted(1m33s)
+        ✔ Install Homebrew packages for Python @done(21-03-05 22:35)
+            `brew install readline xz`
+            https://docs.ansible.com/ansible/latest/collections/community/general/homebrew_module.html