-
-
Save sickcodes/9587ebc0aa3f27c987ebc717a04957a8 to your computer and use it in GitHub Desktop.
Mac Ansible management example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Check if Previously Run | |
| stat: | |
| path: /var/log/ansible.log | |
| register: ansible_logfile | |
| - name: Enable FileVault2 | |
| filevault: enabled=true | |
| become_user: root | |
| - name: Install Brew | |
| block: | |
| - name: Verify Brew installation status | |
| stat: | |
| path: /usr/local/bin/brew | |
| register: brew | |
| - name: Install Brew | |
| script: brew_install.sh | |
| when: not brew.stat.exists | |
| - name: Disable Homebrew analytics | |
| command: brew analytics off | |
| - name: Close system preferences | |
| command: killall "System Preferences" ; sleep 1 | |
| register: command_result | |
| changed_when: command_result.rc != 0 | |
| ignore_errors: true | |
| become_user: root | |
| - name: Setup OSX Firewall & Network security settings | |
| block: | |
| - name: Enable Firewall | |
| command: defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true | |
| become_user: root | |
| - name: Enable Stealth Mode | |
| block: | |
| - name: Verify Stealth Mode Status | |
| command: defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled | |
| register: firewall_stealth_enabled | |
| changed_when: firewall_stealth_enabled != 1 | |
| - name: Enable Stealth Mode | |
| command: defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true | |
| when: firewall_stealth_enabled != 1 | |
| become_user: root | |
| - name: Enable network whitelisting for Apple-signed apps | |
| block: | |
| - name: Verify network whitelist for Apple-signed apps | |
| command: defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled | |
| register: firewall_signed_apps | |
| changed_when: firewall_signed_apps != 1 | |
| - name: Enable network whitelisting for Apple-signed apps | |
| command: defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false | |
| when: firewall_signed_apps != 1 | |
| become_user: root | |
| - name: Disable Multicast Advertisements | |
| command: defaults -currentHost write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES | |
| become_user: root | |
| - name: Disable captive portals | |
| command: defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false | |
| become_user: root | |
| - name: Disable print sharing | |
| command: cupsctl --no-share-printers | |
| become_user: root | |
| - name: Disable Airdrop | |
| command: defaults write com.apple.NetworkBrowser DisableAirDrop -bool true | |
| become_user: root | |
| - name: Disable iCloud drive | |
| command: bash -c 'defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false' | |
| become_user: root | |
| - name: Disable Apple Push notifications | |
| command: bash -c 'launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist' | |
| become_user: root | |
| - name: Disable Remote Login | |
| block: | |
| - name: Verify Remote Login status | |
| command: bash -c "systemsetup -getremotelogin | awk '{print $3}'" | |
| register: disable_remote_login | |
| ignore_errors: True | |
| changed_when: disable_remote_login.stdout == 'On' | |
| - name: Disable Remote Login | |
| command: bash -c "systemsetup -f -setremotelogin off" | |
| when: disable_remote_login.stdout == 'On' | |
| become_user: root | |
| - name: Disable Remote Apple Events | |
| block: | |
| - name: Verify Remote Apple Events status | |
| command: bash -c "systemsetup -getremoteappleevents | awk '{print $4}'" | |
| register: remote_events | |
| - name: Disable Remote Apple Events | |
| command: systemsetup -setremoteappleevents off | |
| when: remote_events.stdout == 'On' | |
| become_user: root | |
| - name: Disable Internet sharing | |
| block: | |
| - name: Determine if internet sharing has been configured | |
| stat: path=/Library/Preferences/SystemConfiguration/com.apple.nat.plist | |
| register: internet_sharing_config | |
| - name: Verify Internet Sharing status | |
| command: bash -c "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'" | |
| ignore_errors: True | |
| register: internet_sharing | |
| when: internet_sharing_config.stat.exists == True | |
| - name: Disable Internet Sharing | |
| command: bash -c "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false" | |
| when: internet_sharing_config.stat.exists == True and internet_sharing.stdout == '1' | |
| ignore_errors: True | |
| become_user: root | |
| - name: Disable Wake-on-LAN | |
| block: | |
| - name: Verify Wake-on-LAN status | |
| command: bash -c "systemsetup getwakeonnetworkaccess | awk '{print $5}'" | |
| register: wol_disabled | |
| - name: Disable Wake-on-LAN | |
| command: systemsetup -setwakeonnetworkaccess off | |
| when: wol_disabled.stdout == 'On' | |
| become_user: root | |
| # Apple won't let us have nice things | |
| #- name: Destroy Filevault key on standby | |
| # block: | |
| # - name: Verify Filevault key on standbuy status | |
| # command: bash -c "pmset -g | grep hibernatemode | awk '{print $2}'" | |
| # register: pmset_hibernate | |
| # - name: Destroy Filevault key on standby | |
| # command: bash -c 'pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0' | |
| # when: pmset_hibernate.stdout != '25' | |
| # become_user: root | |
| - name: Enable Automatic System Updates | |
| block: | |
| - name: Verify automatic system updates | |
| command: softwareupdate --schedule | grep -i 'Automatic check is on' | |
| register: software_updates_enabled | |
| - name: Enable automatic system updates | |
| command: softwareupdate --schedule on | |
| when: software_updates_enabled != 0 | |
| become_user: root | |
| - name: Activate screensaver/lock after 5 minutes | |
| block: | |
| # Apple totally broke this and replaced it with nothing: | |
| # https://blog.kolide.com/screensaver-security-on-macos-10-13-is-broken-a385726e2ae2 | |
| # - name: Require password to wake from sleep | |
| # block: | |
| # - name: Verify requirement of password to wake from sleep | |
| # command: defaults read com.apple.screensaver askForPassword | |
| # register: screen_saver_password | |
| # - name: Require password to wake from sleep | |
| # command: defaults write com.apple.screensaver askForPassword -bool true | |
| # when: screen_saver_password.stdout != 1 | |
| - name: Remove delay if screen_saver_delay < 0 | |
| command: defaults -currentHost write com.apple.screensaver askForPasswordDelay -bool false | |
| - name: Verify status of screensaver lock | |
| register: ss_idle_timer | |
| shell: | | |
| UUID=$(ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.*"\(.*\)"$/\1/') | |
| for i in $(find /Users -type d -maxdepth 1); do | |
| PREF="$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID" | |
| if [ -e $PREF.plist ]; then | |
| TIMEOUT=$(defaults read $PREF.plist idleTime) | |
| if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 300 ]; then | |
| echo 1 | |
| fi | |
| else | |
| echo 0 | |
| fi | |
| done | |
| - name: Enable screensaver lock after 5 minutes | |
| shell: | | |
| UUID=$(ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.*"\(.*\)"$/\1/') | |
| for i in $(find /Users -type d -maxdepth 1); do | |
| PREF="$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID" | |
| if [ -e $PREF.plist ]; then | |
| defaults -currentHost write $PREF.plist idleTime -int 300 | |
| fi | |
| done | |
| when: ss_idle_timer | |
| become_user: root | |
| - name: Enable Logging for the operating system. | |
| block: | |
| - name: Verify logging is enabled for the operating system | |
| command: defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled | |
| register: logging_enabled | |
| - name: Enable logging for the operating system | |
| command: defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true | |
| when: logging_enabled.stdout != "1" | |
| become_user: root | |
| - name: Enable Gatekeeper Protection | |
| block: | |
| - name: Verify Gatekeeper protection status | |
| command: bash -c "spctl --status | awk '{print $2}'" | |
| register: gatekeeper_protection | |
| - name: Enable Gatekeeper protection | |
| command: bash -c "spctl --master-enable" | |
| when: gatekeeper_protection != 'enabled' | |
| become_user: root | |
| - name: Disable IR Receiver | |
| block: | |
| - name: Verify IR receiver status | |
| command: defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled | |
| register: ir_disable | |
| - name: Disable IR receiver | |
| command: defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false | |
| when: ir_disable == 1 | |
| become_user: root | |
| - name: Require administrator password system-wide | |
| command: bash -c 'security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist' | |
| become_user: root | |
| - name: Install Software | |
| block: | |
| - name: Ensure Homebrew Taps. | |
| homebrew_tap: | |
| name: | |
| - homebrew/cask | |
| - homebrew/cask-drivers | |
| - name: Install casks. | |
| homebrew_cask: | |
| name: | |
| - chromium | |
| - thunderbird | |
| - yubico-yubikey-manager | |
| - yubico-authenticator | |
| - iterm2 | |
| - vlc | |
| - libreoffice | |
| - qtpass | |
| - element | |
| - gimp | |
| - name: Install Homebrew Packages | |
| block: | |
| - name: Install primary packages | |
| homebrew: | |
| name: | |
| - git | |
| - gnupg | |
| - pass | |
| - node | |
| - go | |
| - watchman | |
| - nvm | |
| - grunt | |
| - grunt-cli | |
| - curl | |
| - tmux | |
| - rsync | |
| - binutils | |
| - diffutils | |
| - findutils | |
| - coreutils | |
| - gnu-indent | |
| - gnu-sed | |
| - gnu-tar | |
| - gnu-which | |
| - gnutls | |
| - gawk | |
| - grep | |
| - watch | |
| - pv | |
| - wdiff | |
| - wget | |
| - diffutils | |
| - ed | |
| - htop | |
| - vim | |
| - jq | |
| - ykman | |
| - ykpers | |
| - pinentry | |
| - pinentry-mac | |
| - swig | |
| - python | |
| - cmake | |
| - python3 | |
| - libu2f-host | |
| - libusb | |
| - dockutil | |
| - name: Link gnupg package | |
| homebrew: | |
| state: linked | |
| install_options: overwrite | |
| name: gnupg | |
| ignore_errors: true | |
| - name: Setup Dock | |
| tags: [dock] | |
| when: not ansible_logfile.stat.exists | |
| vars: | |
| dock_apps: | |
| - name: Chromium | |
| path: /Applications/Chromium.app | |
| - name: Riot | |
| path: /Applications/Element.app | |
| - name: Thunderbird | |
| path: /Applications/Thunderbird.app | |
| - name: iTerm | |
| path: /Applications/iTerm.app | |
| - name: Yubico Authenticator | |
| path: /Applications/Yubico Authenticator.app | |
| - name: VLC | |
| path: /Applications/VLC.app | |
| - name: Gimp | |
| path: /Applications/Gimp.app | |
| - name: LibreOffice | |
| path: /Applications/LibreOffice.app | |
| - name: QtPass | |
| path: /Applications/QtPass.app | |
| block: | |
| - name: Removed discouraged items from dock | |
| shell: dockutil --no-restart --remove '{{item}}' | |
| with_items: | |
| - Siri | |
| - Launchpad | |
| - Safari | |
| - Contacts | |
| - Reminders | |
| - Maps | |
| - Photos | |
| - Messages | |
| - FaceTime | |
| - iTunes | |
| - iBooks | |
| - System Preferences | |
| - Calendar | |
| - name: Add items to dock | |
| include_role: | |
| name: dock | |
| - name: Shell Configuration | |
| block: | |
| - file: path="$HOME/.gnupg" state=directory | |
| - name: Set pinentry-mac to default gpg pinentry | |
| lineinfile: | |
| create: yes | |
| path: "$HOME/.gnupg/gpg-agent.conf" | |
| line: "pinentry-program /usr/local/bin/pinentry-mac" | |
| - name: Put python packages in $PATH | |
| lineinfile: | |
| create: yes | |
| path: "$HOME/.bash_profile" | |
| line: "PATH=$HOME/Library/Python/2.7/bin:$PATH" | |
| - name: add .local/bin to $PATH | |
| lineinfile: | |
| create: yes | |
| path: "$HOME/.bash_profile" | |
| line: "PATH=$HOME/Library/Python/2.7/bin:$PATH" | |
| - name: Setup gpg-agent for ssh use | |
| blockinfile: | |
| path: "$HOME/.bash_profile" | |
| insertafter: EOF | |
| state: present | |
| content: | | |
| envfile="$HOME/.gnupg/gpg-agent.env" | |
| if ( [[ ! -e "$HOME/.gnupg/S.gpg-agent" ]] && \ | |
| [[ ! -e "/var/run/user/$(id -u)/gnupg/S.gpg-agent" ]] ); | |
| then | |
| killall pinentry > /dev/null 2>&1 | |
| gpgconf --reload scdaemon > /dev/null 2>&1 | |
| pkill -x -INT gpg-agent > /dev/null 2>&1 | |
| gpg-agent --daemon --enable-ssh-support > $envfile | |
| fi | |
| # Wake up smartcard to avoid races | |
| gpg --card-status > /dev/null 2>&1 | |
| source "$envfile" | |
| - name: Automatically Update/Run Ansible from Git | |
| block: | |
| - name: Install trusted author PGP keys | |
| block: | |
| - copy: src=keys/pgp/{{ item }}.key dest=/usr/local/etc/ansible/keys/authors/ | |
| with_items: | |
| - lance | |
| - cyrus | |
| - vittorio | |
| - file: path=/usr/local/etc/ansible/keys/gnupg state=directory | |
| - shell: | | |
| GNUPGHOME=/usr/local/etc/ansible/keys/gnupg \ | |
| gpg --import /usr/local/etc/ansible/keys/authors/*.key | |
| args: | |
| executable: /bin/bash | |
| become_user: root | |
| - name: Install ansible-pull config | |
| copy: | |
| dest: /usr/local/etc/ansible/ansible-pull.env | |
| content: | | |
| [email protected]:your-repo/workstations.git | |
| GIT_BRANCH=master | |
| GIT_PATH=/usr/local/etc/ansible/repos/workstation-config | |
| GIT_PRIVATE_KEY_PATH=/usr/local/etc/ansible/ansible-pull.key | |
| PLAYBOOK_FILE=main.yml | |
| KEY_FILE=/usr/local/etc/ansible/ansible-pull.key | |
| GNUPGHOME=/usr/local/etc/ansible/keys/gnupg/ | |
| SUDO_USER={{ ansible_user_id }} | |
| become_user: root | |
| - name: Ensure github.com is a known host | |
| lineinfile: | |
| dest: /var/root/.ssh/known_hosts | |
| create: yes | |
| state: present | |
| line: "{{ lookup('pipe', 'ssh-keyscan -t rsa github.com') }}" | |
| regexp: "^github\\.com" | |
| become_user: root | |
| - name: Install ansible-pull read-only private key | |
| copy: | |
| mode: "400" | |
| dest: /usr/local/etc/ansible/ansible-pull.key | |
| content: | | |
| -----BEGIN EC PRIVATE KEY----- | |
| your-deploy-key-here | |
| -----END EC PRIVATE KEY----- | |
| become_user: root | |
| - name: Install ansible-pull as cron job | |
| block: | |
| - copy: | |
| dest: /usr/local/bin/ansible-pull.sh | |
| mode: "a+x" | |
| content: | | |
| #!/bin/bash | |
| source /etc/profile | |
| export $( cat /usr/local/etc/ansible/ansible-pull.env | xargs ) | |
| /usr/local/bin/ansible-pull \ | |
| -U $GIT_REPO \ | |
| -C $GIT_BRANCH \ | |
| -d $GIT_PATH \ | |
| -i 'localhost,' \ | |
| --verify-commit \ | |
| --key-file $GIT_PRIVATE_KEY_PATH \ | |
| $PLAYBOOK_FILE >> /var/log/ansible.log 2>&1 | |
| - cron: | |
| name: "run ansible-pull" | |
| minute: "0" | |
| hour: "13" | |
| user: root | |
| job: /usr/local/bin/ansible-pull.sh | |
| become_user: root |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment