Update to 2021-12-01 19:13

roles/common/defaults/main.yml

@@ -0,0 +1,112 @@
+---
+
+# List of UNIX group which will have full root access, using sudo
+system_admin_groups: ['admins','Domain\ Admins']
+
+# Email address of the admin (will receive root email)
+# system_admin_email: admin@domain.net
+
+# List of basic system utilisties to install
+# (Common list for EL and Debian based distro)
+system_utils:
+  - htop
+  - screen
+  - iftop
+  - tcpdump
+  - bzip2
+  - pbzip2
+  - lzop
+  - vim
+  - bash-completion
+  - rsync
+  - lsof
+  - net-tools
+  - sysstat
+  - pciutils
+  - strace
+  - wget
+  - man-db
+  - unzip
+  - openssl
+  - pv
+  - less
+  - nano
+  - tree
+  - mc
+  - tar
+
+# Kernel modules to load
+system_kmods: []
+
+# List of extra package to install
+system_extra_pkgs: []
+
+# MegaCLI tool version
+megacli_version: 8.07.14-1
+
+# List of FS to mount
+fstab: []
+# fstab:
+#   - name: /mnt/data
+#     src: files.domain.org:/data
+#     opts: noatime
+#     fstype: nfs
+#     state: present
+#     boot: yes
+
+# Various SELinux booleans
+sebool: []
+# sebool:
+#   - name: httpd_use_fusefs
+#     state: True
+#     persistent: True
+
+system_swappiness: 10
+system_sysctl: {}
+# system_sysctl:
+#   vm.vfs_cache_pressure: 500
+#   vm.dirty_ratio: 10
+#   vm.dirty_background_ratio: 5
+
+# Disable traditional rsyslog daemon
+system_disable_syslog: False
+
+# Send journald logs to a remote server using systemd-journal-upload
+# system_journal_remote_uri: http://logs.example.com:19532
+
+# Max disk space used by the Journal. Default is 10% of the available space. But must be exressed as an absolute value in the conf
+# We can specify the max amount of space used, and the min amount of space left free. The smallest limit will apply
+system_journal_max_use: 3G
+system_journal_keep_free: 2G
+
+# System Timezone
+system_tz: 'Europe/Paris'
+
+# Tuned profile to apply. If undefined, virt-host and virt-guest are applied automatically when needed
+# system_tuned_profile: enterprise-storage
+
+# Frquency of the fstrim cron job. Can be daily, weekly or monthly
+system_fstrim_freq: weekly
+
+system_base_bash_aliases:
+  ls: 'ls $LS_OPTIONS'
+  ll: 'ls $LS_OPTIONS -l'
+  l: 'ls $LS_OPTIONS -lA'
+  rm: 'rm -i'
+  cp: 'cp -i'
+  mv: 'mv -i'
+
+system_extra_bash_aliases: {}
+system_bash_aliases: "{{ system_base_bash_aliases | combine(system_extra_bash_aliases, recursive=True) }}"
+
+# shell scriplet to exec on boot
+system_rc_local_base_cmd: []
+system_rc_local_extra_cmd: []
+system_rc_local_cmd: "{{ system_rc_local_base_cmd + system_rc_local_extra_cmd }}"
+
+# shell scriplet to exec on shutdown
+system_rc_local_shutdown_base_cmd: []
+system_rc_local_shutdown_extra_cmd: []
+system_rc_local_shutdown_cmd: "{{ system_rc_local_shutdown_base_cmd + system_rc_local_shutdown_extra_cmd }}"
+
+...

roles/common/files/bash_aliases.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+export LS_OPTIONS='--color=auto'
+eval "`dircolors`"
+alias ls='ls $LS_OPTIONS'
+alias ll='ls $LS_OPTIONS -l'
+alias l='ls $LS_OPTIONS -lA'
+alias rm='rm -i'
+alias cp='cp -i'
+alias mv='mv -i'

roles/common/files/crond

@@ -0,0 +1 @@
+CRONDARGS="-s"

roles/common/files/fstrim_all

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+/sbin/fstrim -v --all
+
+# Proxmox container support
+if [ -x /usr/sbin/pct ]; then
+  for CONTAINER in $(/usr/sbin/pct list | awk '/^[0-9]/ {print $1}'); do
+    /sbin/fstrim -v /proc/$(lxc-info -n $CONTAINER -p | awk '{print $2}')/root
+  done
+fi

roles/common/files/vimrc.local_Debian

@@ -0,0 +1,4 @@
+let g:skip_defaults_vim=1
+set mouse-=a
+set background=dark
+syntax on

roles/common/handlers/main.yml

@@ -0,0 +1,33 @@
+---
+- name: rehash postfix
+  command: "postmap /etc/postfix/{{ item }}"
+  with_items:
+    - relay_auth
+
+- name: restart postfix
+  service: name=postfix state=restarted
+
+- name: newaliases
+  command: newaliases
+
+- name: restart journald
+  service: name=systemd-journald state=restarted
+
+- name: systemd-tmpfiles
+  command: systemd-tmpfiles --create
+
+- name: reload systemd
+  command: systemctl daemon-reload
+
+- name: restart crond
+  service: name=crond state=restarted
+
+- name: restart journal-upload
+  service: name=systemd-journal-upload state=restarted
+  when: remote_journal is defined
+
+- name: restart journald
+  service: name=systemd-journald state=restarted
+
+- name: load kmods
+  service: name=systemd-modules-load state=restarted

roles/common/meta/main.yml

@@ -0,0 +1,28 @@
+---
+allow_duplicates: no
+dependencies:
+  - role: mkdir
+  - role: system_proxy
+  - role: repo_base
+    when: ansible_os_family == 'RedHat'
+  - role: network
+  - role: iptables
+    when: iptables_manage | default(True)
+  - role: zabbix_agent
+  - role: fusioninventory_agent
+  - role: sssd_ldap_auth
+    when: ldap_auth | default(False)
+  - role: sssd_ad_auth
+    when: ad_auth | default(False)
+  - role: ntp_client
+    when: ansible_virtualization_role == 'host' or (ansible_virtualization_type != 'lxc' and ansible_virtualization_type != 'systemd-nspawn')
+  - role: sudo
+  - role: ssh
+  - role: patrix
+    when:
+      - patrix_enabled | default(True)
+      - patrix_server is defined
+      - (patrix_user is defined and patrix_pass is defined) or patrix_token is defined
+  - role: postfix
+    when: system_postfix | default(True)
+  - role: timers

roles/common/tasks/facts.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Check if tailf command exists
+  stat: path=/bin/tailf
+  register: system_tailf

roles/common/tasks/guest.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Check if qemu agent channel is available
+  stat: path=/dev/virtio-ports/org.qemu.guest_agent.0
+  register: qemu_ga_dev
+
+- include: guest_{{ ansible_os_family }}.yml
+  when:
+    - qemu_ga_dev.stat.exists
+    - ansible_virtualization_type == 'kvm'
+
+- name: Start and enable qemu guest agent
+  service: name=qemu-guest-agent state=started enabled=yes
+  when:
+    - qemu_ga_dev.stat.exists
+    - ansible_virtualization_type == 'kvm'

roles/common/tasks/guest_Debian.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Install qemu guest agent
+  apt: name=qemu-guest-agent state=present

roles/common/tasks/guest_RedHat.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Install qemu guest agent
+  yum: name=qemu-guest-agent state=present
+

roles/common/tasks/hardware.yml

@@ -0,0 +1,18 @@
+---
+
+- set_fact:
+    controllers: "{{ controllers | default([]) + [ ansible_devices[item].host ] }}"
+  with_items: "{{ ansible_devices.keys() | list }}"
+
+- set_fact:
+    lsi_controllers: "{{ controllers | select('match', '(?i).*(lsi|megaraid).*') | list | unique }}"
+
+- include_tasks: hardware_{{ ansible_os_family }}.yml
+
+- name: Remove MegaCli package
+  file: path=/tmp/{{ megacli }} state=absent
+  when:
+    - lsi_controllers | length > 0
+    - megacli_installed_version.stdout != megacli_version
+
+...

roles/common/tasks/hardware_Debian.yml

@@ -0,0 +1,30 @@
+---
+
+- set_fact: megacli=megacli_{{ megacli_version }}_all.deb
+
+- name: Install libncurses
+  apt:
+    name:
+      - libncurses5
+
+- name: Check if MegaCLi is installed (Debian)
+  shell: dpkg -s megacli | grep Version | awk '{ print $2 }' 2>/dev/null
+  args:
+    warn: False
+  register: megacli_installed_version
+  failed_when: False
+  changed_when: False
+  when: lsi_controllers | length > 0
+
+- name: Copy MegaCli package
+  copy: src={{ megacli }} dest=/tmp
+  when:
+    - lsi_controllers | length > 0
+    - megacli_installed_version.stdout != megacli_version
+
+- name: Install MegaCli (Debian)
+  apt: deb=/tmp/{{ megacli }} allow_unauthenticated=yes
+  when:
+    - lsi_controllers | length > 0
+    - megacli_installed_version.stdout != megacli_version
+ 

roles/common/tasks/hardware_RedHat.yml

@@ -0,0 +1,24 @@
+---
+
+- set_fact:
+    megacli: MegaCli-{{ megacli_version }}.noarch.rpm
+
+- name: Check if MegaCLi is installed
+  shell: rpm -q --qf "%{VERSION}-%{RELEASE}" MegaCli 2>/dev/null
+  register: megacli_installed_version
+  changed_when: False
+  failed_when: False
+  when: lsi_controllers | length > 0
+
+- name: Copy MegaCli package
+  copy: src={{ megacli }} dest=/tmp
+  when:
+    - lsi_controllers | length > 0
+    - megacli_installed_version.stdout != megacli_version
+
+- name: Install MegaCli
+  yum: name=/tmp/{{ megacli }} state=present
+  when:
+    - lsi_controllers | length > 0
+    - megacli_installed_version.stdout != megacli_version
+

roles/common/tasks/hostname.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Set system hostname
+  hostname: name={{ system_hostname | default(inventory_hostname | regex_replace('^([^\.]+)\..*','\\1')) }}
+
+- name: Prevent PVE from changing /etc/hostname
+  copy: content='' dest=/etc/.pve-ignore.hostname
+  when: ansible_virtualization_type == 'lxc'
+
+...
+

roles/common/tasks/mail.yml

@@ -0,0 +1,15 @@
+---
+
+- when: system_admin_email is defined
+  block:
+    - name: Install postfix
+      package: name=postfix
+
+    - name: Configure root email forward
+      lineinfile:
+        dest: /etc/aliases
+        regexp: "^root:.*"
+        line: "root: {{ system_admin_email }}"
+      notify: newaliases
+
+...

roles/common/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+
+- include: facts.yml
+- include_tasks: utils.yml
+- include_tasks: hostname.yml
+- include_tasks: tz.yml
+- include_tasks: tuned.yml
+  when:
+    - ansible_virtualization_role == 'host' or ansible_virtualization_type != 'lxc'
+    - ansible_os_family == 'RedHat'
+- include_tasks: mail.yml
+- include_tasks: system.yml
+- include_tasks: hardware.yml
+  when: ansible_virtualization_role == 'host'
+- include_tasks: guest.yml
+  when:
+    - ansible_virtualization_role == 'guest'
+
+...

roles/common/tasks/system.yml

@@ -0,0 +1,153 @@
+---
+
+- name: Deploy journald.conf
+  template: src=journald.conf.j2 dest=/etc/systemd/journald.conf
+  when: ansible_service_mgr == 'systemd'
+  notify: restart journald
+
+- name: Allow userspace to trigger kernel autoload of modules
+  seboolean: name=domain_kernel_load_modules state=yes persistent=yes
+  when: ansible_selinux.status == 'enabled'
+  tags: selinux
+
+- name: Configure kmod to load
+  copy: content={{ system_kmods | join("\n") }} dest=/etc/modules-load.d/system.conf
+  register: system_kmods_file
+
+- name: Load needed kmods
+  service: name=systemd-modules-load state=restarted
+  when: system_kmods_file.changed
+
+- name: Set SELinux booleans
+  seboolean: name={{ item.name }} state={{ item.state }} persistent={{ item.persistent | default(True) }}
+  when: ansible_selinux.status == 'enabled'
+  with_items: "{{ sebool }}"
+
+- name: Set logrotate_t to permissive mode
+  selinux_permissive: name=logrotate_t permissive=True
+  when: ansible_selinux.status == 'enabled'
+
+- name: Create mount points directories
+  file: path={{ item.name }} state=directory
+  with_items: "{{ fstab }}"
+  ignore_errors: True # needed for some fuse mount points
+
+- name: Configure mount points
+  mount:
+    name: "{{ item.name }}"
+    src: "{{ item.src }}"
+    fstype: "{{ item.fstype | default(omit) }}"
+    opts: "{{ item.opts | default(omit) }}"
+    boot: "{{ item.boot | default(omit) }}"
+    state: "{{ item.state | default('mounted') }}"
+  with_items: "{{ fstab }}"
+
+- name: Set swappiness
+  sysctl:
+    name: vm.swappiness
+    value: "{{ system_swappiness }}"
+    sysctl_file: /etc/sysctl.d/ansible.conf
+    state: present
+  when: ansible_virtualization_role == 'host' or (ansible_virtualization_type != 'lxc' and ansible_virtualization_type != 'systemd-nspawn')
+
+- name: Set sysctl values
+  sysctl:
+    name: "{{ item }}"
+    value: "{{ system_sysctl[item] }}"
+    sysctl_file: /etc/sysctl.d/ansible.conf
+    state: present
+  when: ansible_virtualization_role == 'host' or ansible_virtualization_type != 'lxc'
+  loop: "{{ system_sysctl.keys() | list }}"
+
+- name: Create symlink for restricted bash
+  file:
+    src: /bin/bash
+    dest: /bin/rbash
+    state: link
+
+- name: Set bash as default shell
+  file:
+    src: /bin/bash
+    dest: /bin/sh
+    state: link
+
+- name: Configure logrotate compression
+  blockinfile:
+    dest: /etc/logrotate.conf
+    insertbefore: BOF
+    block: |
+      compress
+      compressoptions -T0
+      compresscmd /usr/bin/xz
+      compressext .xz
+      uncompresscmd /usr/bin/unxz
+
+- name: Configure crond to send cron's log to syslog
+  copy: src=crond dest=/etc/sysconfig/crond mode=600
+  notify: restart crond
+  when: ansible_os_family == 'RedHat'
+
+- name: Deploy fstrim script
+  copy: src=fstrim_all dest=/usr/local/bin/fstrim_all mode=755
+
+- name: Add a cron task to run fstrim
+  cron:
+    name: fstrim
+    special_time: "{{ system_fstrim_freq }}"
+    user: root
+    job: 'sleep $(( 3600 + 1$(/bin/date +\%N) \% 7200 )); /usr/bin/systemd-cat /usr/local/bin/fstrim_all'
+    cron_file: fstrim
+    state: "{{ (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'lxc') | ternary('absent','present') }}"
+
+- name: Deploy global vimrc
+  copy: src=vimrc.local_{{ ansible_os_family }} dest=/etc/vim/vimrc.local
+  when: ansible_os_family == 'Debian'
+
+- name: Configure vim for dark background
+  lineinfile: path=/etc/vimrc regexp='^set\sbackground=' line='set background=dark'
+  when: ansible_os_family == 'RedHat'
+
+- name: Configure screen to use login shell
+  lineinfile: path=/etc/screenrc regexp='^shell\s.*' line='shell -/bin/sh'
+  when: ansible_os_family == 'Debian'
+
+- name: Handle syslog daemon
+  service:
+    name: rsyslog
+    state: "{{ (system_disable_syslog | default(False)) | ternary('stopped','started') }}"
+    enabled: "{{ (system_disable_syslog | default(False)) | ternary(False,True) }}"
+
+- name: Remove old bash aliases script
+  file: path=/etc/profile.d/bash_aliases.sh state=absent
+
+- name: Deploy bash aliases
+  template: src=bash_aliases.sh.j2 dest=/etc/profile.d/ansible_aliases.sh mode=755
+
+- name: Ensure /etc/rc.d exists
+  file: path=/etc/rc.d state=directory
+
+- name: Deploy rc.local script
+  template: src=rc.local.j2 dest=/etc/rc.d/rc.local mode=755
+
+- name: Deploy rc.local.shutdown script
+  template: src=rc.local.shutdown.j2 dest=/etc/rc.d/rc.local.shutdown mode=755
+
+  # Debian is using /etc/rc.local while RHEL is using /etc/rc.d/rc.local
+- name: Link /etc/rc.local to /etc/rc.d/rc.local
+  file: src=/etc/rc.d/rc.local path=/etc/rc.local state=link force=True
+
+- name: Link /etc/rc.local.shutdown to /etc/rc.d/rc.local.shutdown
+  file: src=/etc/rc.d/rc.local.shutdown path=/etc/rc.local.shutdown state=link force=True
+
+- name: Deploy rc-local-shutdown systemd unit
+  template: src=rc-local-shutdown.service.j2 dest=/etc/systemd/system/rc-local-shutdown.service
+  register: system_rc_local_shutdown_unit
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: system_rc_local_shutdown_unit.changed
+
+- name: Enable rc-local-shutdown service
+  service: name=rc-local-shutdown enabled=True
+
+...

roles/common/tasks/tuned.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Install tuned service
+  yum: name=tuned state=present
+
+- name: Enabling tuned
+  service: name=tuned state=started enabled=yes
+
+- name: Check actual tuned profile
+  shell: "tuned-adm active | awk -F': ' '{print $2}'"
+  register: tuned_profile
+  changed_when: False
+  ignore_errors: True
+
+- name: Applying custom tuned profile
+  command: tuned-adm profile {{ system_tuned_profile }}
+  when:
+    - system_tuned_profile is defined
+    - tuned_profile.stdout != system_tuned_profile
+
+- name: Applying virtual guest tuned profile
+  command: tuned-adm profile virtual-guest
+  when:
+    - ansible_virtualization_role == "guest"
+    - tuned_profile.stdout != "virtual-guest"
+    - system_tuned_profile is not defined
+
+- name: Applying virtual host tuned profile
+  command: tuned-adm profile virtual-host
+  when:
+    - ansible_virtualization_role == "host"
+    - tuned_profile.stdout != "virtual-host"
+    - system_tuned_profile is not defined
+
+...

roles/common/tasks/tz.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Set system TZ
+  timezone: name={{ system_tz }}
+  when: system_tz is defined

roles/common/tasks/utils.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Install common utilities
+  package:
+    name: "{{ system_utils + system_distro_utils }}"
+
+- name: Install extra softwares
+  package:
+    name: "{{ system_extra_pkgs }}"
+
+  # Screendump is not used, and prevent using tab to use screen quickly, so remove it
+- name: Check if screendump is present
+  stat: path=/usr/bin/screendump
+  register: system_screendump
+
+- name: Rename screendump
+  command: mv -f /usr/bin/screendump /usr/bin/_screendump
+  when: system_screendump.stat.exists
+...

roles/common/templates/bash_aliases.sh.j2

@@ -0,0 +1,13 @@
+#!/bin/bash -e
+
+# {{ ansible_managed }}
+
+export LS_OPTIONS='--color=auto'
+eval "`dircolors`"
+
+{% for alias in system_bash_aliases.keys() | list %}
+alias {{ alias }}='{{ system_bash_aliases[alias] }}'
+{% endfor %}
+{% if not system_tailf.stat.exists %}
+alias tailf='tail -f'
+{% endif %}

roles/common/templates/journal-upload.conf.j2

@@ -0,0 +1,7 @@
+[Upload]
+{% if system_journal_remote_uri is defined and system_journal_remote_uri | regex_search('^https?://') %}
+URL={{ system_journal_remote_uri }}
+{% if ansible_os_family == 'RedHat' %}
+TrustedCertificateFile=/etc/pki/tls/cert.pem
+{% endif %}
+{% endif %}

roles/common/templates/journald.conf.j2

@@ -0,0 +1,4 @@
+[Journal]
+SystemMaxFileSize=100M
+SystemMaxUse={{ system_journal_max_use }}
+SystemKeepFree={{ system_journal_keep_free }}

roles/common/templates/rc-local-shutdown.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=/etc/rc.d/rc.local.shutdown compatibility
+ConditionFileIsExecutable=/etc/rc.d/rc.local.shutdown
+DefaultDependencies=no
+After=rc-local.service basic.target
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/etc/rc.d/rc.local.shutdown
+StandardInput=tty
+RemainAfterExit=yes
+
+[Install]
+WantedBy=shutdown.target

roles/common/templates/rc.local.j2

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# {{ ansible_managed }}
+
+{% for cmd in system_rc_local_cmd %}
+{{ cmd }}
+{% endfor %}
+
+exit 0

roles/common/templates/rc.local.shutdown.j2

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# {{ ansible_managed }}
+
+{% for cmd in system_rc_local_shutdown_cmd %}
+{{ cmd }}
+{% endfor %}
+
+exit 0

roles/common/templates/systemd-journal-upload.service.j2

@@ -0,0 +1,22 @@
+[Unit]
+Description=Journal Remote Upload Service
+After=network.target
+
+[Service]
+ExecStart=/lib/systemd/systemd-journal-upload \
+          --save-state
+User=systemd-journal-upload
+PrivateTmp=yes
+PrivateDevices=yes
+WatchdogSec=20min
+Restart=always
+RestartSec=10min
+TimeoutStopSec=10
+
+# If there are many split up journal files we need a lot of fds to
+# access them all and combine
+LimitNOFILE=16384
+
+[Install]
+WantedBy=multi-user.target
+

roles/common/vars/Debian-10.yml

@@ -0,0 +1,10 @@
+---
+
+system_distro_utils:
+  - apt-transport-https
+  - openssh-client
+  - netcat
+  - xz-utils
+  - liblz4-tool
+  - sshfs
+  - zstd

roles/common/vars/Debian-11.yml

@@ -0,0 +1,10 @@
+---
+
+system_distro_utils:
+  - apt-transport-https
+  - openssh-client
+  - netcat
+  - xz-utils
+  - liblz4-tool
+  - sshfs
+  - zstd

roles/common/vars/Debian-8.yml

@@ -0,0 +1,9 @@
+---
+
+system_distro_utils:
+  - apt-transport-https
+  - openssh-client
+  - netcat
+  - xz-utils
+  - liblz4-tool
+  - sshfs

roles/common/vars/Debian-9.yml

@@ -0,0 +1,10 @@
+---
+
+system_distro_utils:
+  - apt-transport-https
+  - openssh-client
+  - netcat
+  - xz-utils
+  - liblz4-tool
+  - sshfs
+  - zstd

roles/common/vars/RedHat-7.yml

@@ -0,0 +1,13 @@
+---
+
+system_distro_utils:
+  - openssh-clients
+  - nc
+  - xz
+  - lz4
+  - yum-utils
+  - fuse-sshfs
+  - policycoreutils-python
+  - MySQL-python
+  - python-psycopg2
+  - zstd

roles/common/vars/RedHat-8.yml

@@ -0,0 +1,13 @@
+---
+
+system_distro_utils:
+  - openssh-clients
+  - nc
+  - xz
+  - lz4
+  - yum-utils
+  - fuse-sshfs
+  - policycoreutils-python-utils
+  - python3-mysql
+  - python3-psycopg2
+  - zstd

roles/common/vars/Ubuntu-20.yml

@@ -0,0 +1,10 @@
+---
+
+system_distro_utils:
+  - apt-transport-https
+  - openssh-client
+  - netcat
+  - xz-utils
+  - liblz4-tool
+  - sshfs
+  - zstd