-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.yml
139 lines (108 loc) · 4.38 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
---
# http://ryaneschinger.com/blog/securing-a-server-with-ansible/
# hostname
- name: Set the hostname in /etc/hostname
hostname: name={{ server_hostname }}
register: hostname
- name: Create /etc/hosts file
template: src=etc/hosts.j2 dest=/etc/hosts
when: hostname.changed
- name: install aptitude package needed for following packages install via ansible apt module
command: apt-get install -y aptitude
# basic system packages installation
- name: Update APT package cache
become: yes
apt: update_cache=yes
- name: Run apt-get upgrade
become: yes
apt: upgrade=safe
- name: apt - install basic system packages
become: yes
apt: pkg={{item}} state=latest update-cache=yes
with_items:
- curl
- git
- tree
- htop
- mlocate
- fail2ban
# time-related tasks
- name: install system packages for time management
apt: pkg=ntp,tzdata state=latest update-cache=yes
- name: set timezone to {{ timezone }}
template: src=etc/timezone dest=/etc/timezone owner=root group=root mode=0644
notify: update-tzdata
- name: NTP sync cronjob
cron: minute="01"
hour="01"
name="NTP sync"
user="root"
job="/usr/sbin/ntpdate fr.pool.ntp.org"
# user configuration
- name: Add deployment user
user: name=deploy password={{ deploy_password_hash }} state=present append=yes groups=sudo shell={{ deploy_shell }}
- name: Add ssh user keys
authorized_key: user={{ item.user }} key="{{ item.key }}"
with_items: "{{ ssh_users }}"
# - name: Remove sudo group rights
# action: lineinfile dest=/etc/sudoers regexp="^%sudo" state=absent
- name: Add .bashrc to user deploy for custom prompt
copy: src=home/deploy/.bashrc dest=/home/deploy/.bashrc group=deploy owner=deploy
- name: Add .bashrc to user root for custom prompt
copy: src=root/.bashrc dest=/root/.bashrc group=root owner=root
- name: deploy user can sudo without password prompt
action: lineinfile dest=/etc/sudoers regexp="deploy ALL" state=present line="deploy ALL=(ALL) NOPASSWD:ALL"
# automatic upgrades
- name: Install unattended-upgrades
action: apt pkg=unattended-upgrades state=present
- name: Adjust APT update intervals
template: src=etc/apt/apt.conf.d/10periodic dest=/etc/apt/apt.conf.d/10periodic group=root owner=root
- name: Make sure unattended-upgrades only installs from $ubuntu_release-security
template: src=etc/apt/apt.conf.d/50unattended-upgrades dest=/etc/apt/apt.conf.d/50unattended-upgrades group=root owner=root
# enable server to send emails
- name: Set up Postfix to relay mail
debconf: name=postfix
question='{{ item.question }}'
value='{{ item.value }}'
vtype='{{ item.vtype }}'
with_items:
- { question: 'postfix/mailname', value: '{{ server_hostname }}.{{ server_domain_name }}', vtype: 'string' }
- { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }
# setup logwatch
- name: Install logwatch
apt: pkg=logwatch state=installed
- name: Make logwatch mail $logwatch_email daily
action: lineinfile dest=/etc/cron.daily/00logwatch regexp="^/usr/sbin/logwatch" line="/usr/sbin/logwatch --output mail --mailto $logwatch_email --detail high" state=present create=yes
# configure and enable firewall
- name: Install uncomplicated firewall
apt: pkg=ufw state=installed
- name: Set firewall rules
command: ufw allow {{ item }}
register: ufw_result
changed_when: "ufw_result.stdout.startswith('Rule')"
with_items:
- 80/tcp
- 443/tcp
- 22/tcp
- ssh
- name: Configure ufw logging
ufw: logging=on
notify: restart ufw
- name: Check status of ufw
command: ufw status
register: ufw_status
changed_when: False # never report as "changed"
- name: Check config of ufw
command: cat /etc/ufw/ufw.conf
register: ufw_config
changed_when: False # never report as "changed"
- name: Enable ufw
command: ufw --force enable
when: "ufw_status.stdout.startswith('Status: inactive') or 'ENABLED=yes' not in ufw_config.stdout"
# login configuration (sshd). Must be kept as last item to rerun the playbook easily if an error occurs
- name: Disallow root SSH access
action: lineinfile dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin no" state=present
notify: Restart sshd
- name: Disallow password authentication
action: lineinfile dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
notify: Restart sshd