@mimiphp #5 群聊加密是有意义的。确实加入群的任何人都可以看到内容，可问题是，自己的小群只有 3 个人，我也不会让其他人进去，仍然需要防止传输过程中被第三方攻击。

你说的场景，是指在一个开放或半开放的群聊中的问题，——你无法确保没有内鬼，但只要你的群是私密群就不存在你说的这个问题。

@BaiLinfeng 是 ios

@red13 #2 如果一个人需要去做所谓的“提升逼格”，那我只能说这个人太累了，自己的生活和别人有什么关系，而且大胆猜测，这人学历应该不高。

@letwewell #6 有问题，前半句确实在说本质，但后半句太过于狭隘，能归于这两类的前提是，你做事情的目的是为了利益互换，但人类做事情不完全是为了利益的。比如，孩子作恶多端，母亲仍然袒护并且深爱着孩子，这完全不是什么利益相关，单纯的人性罢了。

按照 op 的描述，这应该是“随口一说”，而不是“口头 offer”

@yinmin #16 你说的这些漏洞都是上古时期的，正常开着 windows 更新并且使用没有 EOL 的系统是不会有问题的。我们服务器 rdp 常年暴露公网，一点问题没有。99.9% rdp 被攻破的案例都是因为弱密码或者撞库导致的。即便真的有 0day 出来，也不会用于大面积扫描的，这样太浪费了。更何况近些年出现的漏洞都是有前置条件的，要么你有普通用户权限（内部提权），要么你已经能访问到机器（输入法绕过 login ）。

@CSGO #4
@Ljcbaby #5
同问

网卡名称由于新设备插入而变更是常规操作，也很合理。如果需要固定某一设备的名称，请使用 udev 来修改，我司所有在用的网口都使用 udev 来固定的。

@EyebrowsWhite #35 dedicate 就已经是 baremetal 了，而且，我还有一台 colo 放联通机房了

@EyebrowsWhite #23 我最开始是腾讯轻量，后来换到了 aws lightsail, 再然后 hosthatch 黑五时候开了三年的机器，现在转到 ovh dedicate 了。。。

@defunct9 #28 需求不一样，autopilot 不满足

@taberu #24 好巧，我也是用 haproxy,不过我是两层，外部 haproxy 给到内部 haproxy

@w568w #20 我们几十上百台机器跑一个 playbook 获取 facts 都没你 10 分钟这么久，你这个不正常，debug 一下看看卡哪里了吧，命令后面加上-vvv

@EyebrowsWhite #18 对于你的这个例子，playbook 写的应该是 docker compose 的安装（如果是 docker 的话）以及 wget 你的 docker compose yml 从 git 。

我个人有很多的 vps,不同用途，但基础配置通用，至于个性化的配置写入 ansible 是因为机器由于各种原因需要升级、重建，比如从一个服务商切换到另一个，又或者机器弄乱了，也可能是为了升级。

如果你的机器不多，没有重建的需求，可以只写通用的配置，比如关闭 selinux,关掉 firewalld,禁止 ipv6,创建用户，加 key,对于单个服务，如果是你的生产环境，那么要做好备份。

# tasks file for system configuration

- block:

- name: disable SWAP (Kubeadm requirement)
shell: |
swapoff -a

- name: disable SWAP in fstab (Kubeadm requirement)
replace:
path: /etc/fstab
regexp: '^([^#].*?\sswap\s+sw\s+.*)$'
replace: '# \1'

- name: create an empty file for the Containerd module
copy:
content: ""
dest: /etc/modules-load.d/containerd.conf
force: no

- name: configure modules for Containerd
blockinfile:
path: /etc/modules-load.d/containerd.conf
block: |
overlay
br_netfilter

- name: create an empty file for Kubernetes sysctl params
copy:
content: ""
dest: /etc/sysctl.d/99-kubernetes-cri.conf
force: no

- name: configure sysctl params for Kubernetes
lineinfile:
path: /etc/sysctl.d/99-kubernetes-cri.conf
line: "{{ item }}"
with_items:
- 'net.bridge.bridge-nf-call-iptables = 1'
- 'net.ipv4.ip_forward = 1'
- 'net.bridge.bridge-nf-call-ip6tables = 1'

- name: apply sysctl params without reboot
command: sysctl --system

- name: add Docker's dnf repository
get_url:
url: https://download.docker.com/linux/rhel/docker-ce.repo
dest: /etc/yum.repos.d/docker-ce.repo
mode: '0644'
force: true


- name: add Kubernetes' dnf repository
yum_repository:
name: Kubernetes
description: Kubernetes
baseurl: https://pkgs.k8s.io/core:/stable:/v{{ ansible_local['static']['kubernetes']['version'] }}/rpm/
gpgkey: https://pkgs.k8s.io/core:/stable:/v{{ ansible_local['static']['kubernetes']['version'] }}/rpm/repodata/repomd.xml.key
enabled: true
gpgcheck: true
state: present

- name: install Containerd
ansible.builtin.dnf:
name: containerd.io
state: present

- name: create Containerd directory
file:
path: /etc/containerd
state: directory

- name: add Containerd configuration
shell: /usr/bin/containerd config default > /etc/containerd/config.toml

- name: configuring the systemd cgroup driver for Containerd
lineinfile:
path: /etc/containerd/config.toml
regexp: ' SystemdCgroup = false'
line: ' SystemdCgroup = true'

- name: enable the Containerd service and start it
systemd:
name: containerd
state: restarted
enabled: yes
daemon-reload: yes

- name: install packages
dnf:
name:
- kubelet
- kubeadm
- kubectl
- iproute-tc
state: present
update_cache: true
register: packages

- name: download helm script
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
dest: /tmp/get-helm-3.sh
mode: '0755'
force: true

- name: install helm
ansible.builtin.shell:
cmd: /tmp/get-helm-3.sh

- name: enable the Kubelet service, and enable it persistently
service:
name: kubelet
enabled: yes

- name: load br_netfilter kernel module
modprobe:
name: br_netfilter
state: present

- name: set bridge-nf-call-iptables
sysctl:
name: net.bridge.bridge-nf-call-iptables
value: 1

- name: set ip_forward
sysctl:
name: net.ipv4.ip_forward
value: 1

- name: reboot and wait for reboot to complete
reboot:
when: packages.changed

---
# tasks file for common

- name: Account management tasks
block:
- name: Ensure group "admin" exists
ansible.builtin.group:
name: admin
gid: 4141
state: present

- name: Accounts configuration
ansible.builtin.user:
name: "{{ item.name }}"
uid: "{{ item.uid }}"
state: present
group: "{{ item.group }}"
loop: "{{ accounts }}"

- name: Set up multiple authorized keys
ansible.builtin.authorized_key:
user: "{{ item.user }}"
key: "{{ item.key }}"
manage_dir: true
loop: "{{ keys }}"

- name: Add sudoers for ansible and hola
ansible.builtin.lineinfile:
path: /etc/sudoers.d/systems
line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
create: true
loop: "{{ accounts }}"
when: item.admin | bool

- name: Change root password
ansible.builtin.user:
name: root
password: "{{ root_password }}"
state: present

- name: Change hola password
ansible.builtin.user:
name: hola
password: "{{ user_password }}"
state: present

- name: Install the packages when os is rhel
ansible.builtin.dnf:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop: "{{ packages_rhel }}"
when: ansible_os_family == "RedHat"

- name: Install the packages when os is debian
ansible.builtin.apt:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop: "{{ packages_debian }}"
when: ansible_os_family == "Debian" or ansible_os_family == "Ubuntu"

become: true
ignore_errors: false
remote_user: root
vars:
ansible_ssh_private_key_file: "~/ansi/key"




- name: Generate facts
block:
- name: Create directory for ansible custom facts
ansible.builtin.file:
state: directory
recurse: true
path: /etc/ansible/facts.d

- name: Chcek if exsit custom facts
ansible.builtin.stat:
path: /etc/ansible/facts.d/static.fact
register: host_facts_stat

- name: Install custom fact
ansible.builtin.copy:
src: static.fact
dest: /etc/ansible/facts.d
when: not host_facts_stat.stat.exists

- name: End the play after first time to create custom facts
meta: end_play
when: not host_facts_stat.stat.exists

become: true
ignore_errors: false
remote_user: root
vars:
ansible_ssh_private_key_file: "~/ansi/key"

- name: Load custom facts
ansible.builtin.setup:
filter: ansible_local




- name: System configuration tasks
block:
- name: Re-read facts after adding custom fact
ansible.builtin.setup:
filter: ansible_local

# Upgrade packages
# - name: Upgrade all packages for rhel
# ansible.builtin.dnf:
# name: "*"
# state: latest
# when: ansible_os_family == "RedHat"

# - name: Upgrade all packages for debian
# ansible.builtin.apt:
# name: "*"
# state: latest
# when: ansible_os_family == "Debian" or ansible_os_family == "Ubuntu"
- name: Set hostname
ansible.builtin.hostname:
name: "{{ ansible_local['static']['general']['hostname'] }}"
when: ansible_local['static']['general']['hostname'] is defined and ansible_local['static']['general']['hostname'] != ""

- name: Configure eth0 ip address
ansible.builtin.template:
src: nmconnection_eth0.j2
dest: /etc/NetworkManager/system-connections/eth0.nmconnection
owner: root
group: root
mode: 0700
register: nmconnection_eth0_result

- name: Reload eth0 configuration
command: |
nmcli connection reload
nmcli connection up eth0
when: nmconnection_eth0_result.changed

- name: Disable cloud-init network
ansible.builtin.lineinfile:
path: /etc/cloud/cloud.cfg
regexp: '^ renderers'
insertafter: '^ network:'
line: " config: disabled"
when: nmconnection_eth0_result.changed

- name: Configure eth1 ip address
ansible.builtin.template:
src: nmconnection_eth1.j2
dest: /etc/NetworkManager/system-connections/eth1.nmconnection
owner: root
group: root
mode: 0700
when: ansible_local['static']['general']['ipaddr_eth1'] is defined and ansible_local['static']['general']['ipaddr_eth1'] != ""
register: nmconnection_eth1_result

- name: Reload eth1 configuration
command: |
nmcli connection reload
nmcli connection up eth1
when: nmconnection_eth1_result.changed


# - name: Display all variables/facts known for a host
# debug:
# var: hostvars[inventory_hostname]
# tags: debug_info

- name: Install the packages when os is rhel
ansible.builtin.dnf:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop: "{{ packages_rhel }}"
when: ansible_os_family == "RedHat"

- name: Install the packages when os is debian
ansible.builtin.apt:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop: "{{ packages_debian }}"
when: ansible_os_family == "Debian" or ansible_os_family == "Ubuntu"

- name: Enable atop is enabled and started
ansible.builtin.systemd_service:
name: atop
enabled: true
state: started

- name: Disable SELinux persist
ansible.builtin.selinux:
state: permissive
policy: targeted

- name: Set SELinux in permissive mode at runtime
command: setenforce 0

- name: kernel parameters
ansible.builtin.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
loop: "{{ kernel_parameters }}"

- name: Update grubby
command: grubby --update-kernel=ALL --args="net.ifnames=0 biosdevname=0 crashkernel=256M intel_idle.max_cstate=0 processor.max_cstate=1 idle=poll console=tty1 ipv6.disable=1 pci=nommconf pcie_aspm=off mitigations=off"
when: ansible_os_family == "RedHat"

- name: Ensure bash profile history lines number is unlimited
ansible.builtin.lineinfile:
path: /etc/profile
regexp: '^HISTSIZE '
insertafter: '^#HISTSIZE '
line: HISTSIZE=-1

- name: Ensure bash profile history file size is unlimited
ansible.builtin.lineinfile:
path: /etc/profile
regexp: '^HISTFILESIZE '
insertafter: '^#HISTFILESIZE '
line: HISTFILESIZE=-1


become: true
ignore_errors: true

@EyebrowsWhite #11 我个人的机器也在用 ansible ，包括 k8s 节点的创建，vps 的一些基础配置，比如加 key,创建用户，nfs 挂载，hostname,软件包的安装，有 ansible 会方便很多

pt 转手呗，比如馒头，多全乎啊，配合 qbit+rss,自动拉取热门资源，什么都不用做

@FlytoSirius #56 解锁 bl 只刷系统不 root ，不会降低等级的，我刷了 grapheneos 什么都不用做，直接可以通过谷歌全部检查。至于为什么有的第三方 rom 即便不 root 也过不了检查，纯属 rom 本身的问题。