Ansible_PUBLIC/common.yml

# playbook.yml:
---
- name: "common config"
  hosts: localhost
  connection: local
  vars_files:
    - variables.yml

  tasks:
    - name: "check the variable: users"
      fail: msg="The user in the list 'users' in variables.yml, has to be set to somethings else than CHANGEME"
      when: '"CHANGEME" in users'

    - name: "check the variable: hostname"
      fail: msg="The variable 'hostname' in variables.yml, has to be set to somethings else than CHANGEME"
      when: '"CHANGEME" in hostname'

#    - name: "check the variable: tinc_vpn"
#      fail: msg="The variable 'tinc_vpn' in variables.yml, has to be set to somethings else than CHANGEME"
#      when: '"CHANGEME" in tinc_vpn'

###

    - name: change hostname to myserver
      hostname:
        name: "{{ hostname }}"

    - name: add myself to /etc/hosts
      lineinfile:
        dest: /etc/hosts
        regexp: '^127\.0\.0\.1[ \t]+localhost'
        line: '127.0.0.1 localhost {{ hostname }}'
        state: present


    - name: Set timezone to {{ timezone }}
      timezone:
        name: "{{ timezone }}"

    - name: Update repositories cache
      apt:
        update_cache: yes

    - name: Install a list of packages
      apt:
        pkg:
        - htop
        - iotop
#        - glances
        - screen
        - sysstat
        - git
        - nmap
        - ntp
        - tinc
        - fail2ban
        - iptables-persistent
        - ssh
        - locales-all
        - curl
        - wget
        - net-tools
        - apt-transport-https
        - ca-certificates
        - gnupg
        - lsb-release
        - rsync
        - telnet

    - debug:
        msg: The main interface is {{ ansible_default_ipv4.interface }}

    - name: Create a directory if it does not exist
      file:
        path: /scripts
        state: directory
        mode: '0755'

    - name: "Create user accounts and add users to groups"
      user:
        name: "{{ item }}"
        shell: "/bin/bash"
      with_items: "{{ users }}"

    - name: "Add authorized keys"
      authorized_key:
        user: "{{ item }}"
        key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
      with_items: "{{ users }}"

    - name: Fix Debian10's shitty executables paths
      lineinfile:
        dest: /etc/environment
        line: 'PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"'
        state: present
      when: ansible_distribution == 'Debian' and ansible_distribution_major_version >= '10'

    - name: create rules.v4
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v4"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [372:91728]
          :fail2ban-ssh - [0:0]
          -A INPUT -i lo -j ACCEPT
          -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
          -A INPUT -j DROP
          -A OUTPUT -o lo -j ACCEPT
          -A fail2ban-ssh -j RETURN
          COMMIT
          # Completed on Tue Nov 19 22:41:29 2019

    - name: create rules.v6
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v6"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT DROP [0:0]
          COMMIT
          # Completed on Tue Nov 19 22:58:08 2019

    - name: reload iptables v4
      action: shell /sbin/iptables-restore /scripts/rules.v4

    - name: reload iptables v4
      action: shell /sbin/ip6tables-restore /scripts/rules.v6

    - name: save iptables v4 rules
      shell: iptables-save > /etc/iptables/rules.v4

    - name: save iptables v6 rules
      shell: ip6tables-save > /etc/iptables/rules.v6


    - name: "Copy file with owner and permissions"
      copy:
        backup: yes
        src: "{{ playbook_dir }}/repo/bashrc"
        dest: /root/.bashrc
        owner: root
        group: root
        mode: '0644'

    - name: "Register if we are running baremetal (none), virtualized (kvm) or container (lxc)"
      command: systemd-detect-virt
      register: systemd_detect_virt

    # Set vm.swappiness to 1 in /etc/sysctl.conf
    - name: "Set swappiness to zero in sysctl.conf"
      sysctl:
        name: vm.swappiness
        value: '1'
        state: present
        reload: yes
        sysctl_file: /etc/sysctl.conf
      when: systemd_detect_virt.stdout != "lxc"

    - name: "Set nf_conntrack_max to 131072 in sysctl.conf, suitable for max 4gb of ram, conntrack_max = RAMSIZE (in bytes)/16384/2 = 4*1024*1024*1024/16384/2 = 4*32768 = 131072"
      sysctl:
        name: net.netfilter.nf_conntrack_max
        value: '131072'
        state: present
        reload: yes
        sysctl_file: /etc/sysctl.conf
        #source: https://support.huaweicloud.com/intl/en-us/trouble-ecs/ecs_trouble_0324.html
      when: systemd_detect_virt.stdout != "lxc"

    - name: Disable IPv6 with sysctl
      sysctl: name={{ item }} value=1 state=present reload=yes
      with_items:
        - net.ipv6.conf.all.disable_ipv6
        - net.ipv6.conf.default.disable_ipv6
        - net.ipv6.conf.lo.disable_ipv6
      when: systemd_detect_virt.stdout != "lxc"

    - ansible.builtin.include_role:
        name: ssh_hardening

    - name: "copy iptables disable script to/scripts"
      copy:
        backup: yes
        src: "{{ playbook_dir }}/repo/disable_iptables.sh"
        dest: /scripts/disable_iptables.sh
        owner: root
        group: root
        mode: '0744'
first commit 2020-03-13 20:05:35 +01:00			`# playbook.yml:`
			`---`
			`- name: "common config"`
fixed local running since in Debian 11 ansible installation is made trough python modules, there is no /etc/ansible/ configfiles anymore, now we don't need to populate the ansible hosts anymore! 2021-09-10 16:53:51 +02:00			`hosts: localhost`
first commit 2020-03-13 20:05:35 +01:00			`connection: local`
fix variables loading in common 2020-03-14 11:01:22 +01:00			`vars_files:`
			`- variables.yml`
first commit 2020-03-13 20:05:35 +01:00
			`tasks:`
removed part of iptables command for compatibility 2020-03-19 18:43:51 +01:00			`- name: "check the variable: users"`
			`fail: msg="The user in the list 'users' in variables.yml, has to be set to somethings else than CHANGEME"`
fix variables checking and add instructions for setting variables 2020-03-14 11:28:22 +01:00			`when: '"CHANGEME" in users'`

removed part of iptables command for compatibility 2020-03-19 18:43:51 +01:00			`- name: "check the variable: hostname"`
			`fail: msg="The variable 'hostname' in variables.yml, has to be set to somethings else than CHANGEME"`
fix variables checking and add instructions for setting variables 2020-03-14 11:28:22 +01:00			`when: '"CHANGEME" in hostname'`

removed tinc variable population check 2021-09-10 16:54:12 +02:00			`# - name: "check the variable: tinc_vpn"`
			`# fail: msg="The variable 'tinc_vpn' in variables.yml, has to be set to somethings else than CHANGEME"`
			`# when: '"CHANGEME" in tinc_vpn'`
fix tinc_vpn variable 2020-03-14 15:20:24 +01:00
			`###`

add hostname 2020-03-14 00:24:47 +01:00			`- name: change hostname to myserver`
			`hostname:`
fix variables loading in common 2020-03-14 11:01:22 +01:00			`name: "{{ hostname }}"`
add hostname 2020-03-14 00:24:47 +01:00
			`- name: add myself to /etc/hosts`
			`lineinfile:`
			`dest: /etc/hosts`
			`regexp: '^127\.0\.0\.1[ \t]+localhost'`
			`line: '127.0.0.1 localhost {{ hostname }}'`
			`state: present`


fix README 2020-03-14 15:45:17 +01:00			`- name: Set timezone to {{ timezone }}`
first commit 2020-03-13 20:05:35 +01:00			`timezone:`
removed part of iptables command for compatibility 2020-03-19 18:43:51 +01:00			`name: "{{ timezone }}"`
first commit 2020-03-13 20:05:35 +01:00
			`- name: Update repositories cache`
			`apt:`
			`update_cache: yes`

			`- name: Install a list of packages`
			`apt:`
			`pkg:`
			`- htop`
			`- iotop`
removed glances installation commented glances installation since it's not in debian 11 repos anymore and it's heavy and not really needed. 2021-09-10 16:55:05 +02:00			`# - glances`
first commit 2020-03-13 20:05:35 +01:00			`- screen`
			`- sysstat`
			`- git`
			`- nmap`
			`- ntp`
			`- tinc`
			`- fail2ban`
			`- iptables-persistent`
added ssh to the packages installation since it might not be installed and the hardening is not optional 2020-03-19 18:44:47 +01:00			`- ssh`
Fix Debian10's shitty executables paths 2020-11-10 19:20:16 +01:00			`- locales-all`
Update 'common.yml' 2020-12-12 23:30:55 +01:00			`- curl`
			`- wget`
added net-tools to the default install 2021-02-06 22:59:49 +01:00			`- net-tools`
Update 'common.yml' 2021-10-03 01:50:02 +02:00			`- apt-transport-https`
			`- ca-certificates`
			`- gnupg`
			`- lsb-release`
added rsync and telnet to the isntalled packages 2021-10-03 02:00:48 +02:00			`- rsync`
			`- telnet`
first commit 2020-03-13 20:05:35 +01:00
			`- debug:`
			`msg: The main interface is {{ ansible_default_ipv4.interface }}`

			`- name: Create a directory if it does not exist`
			`file:`
			`path: /scripts`
			`state: directory`
			`mode: '0755'`

			`- name: "Create user accounts and add users to groups"`
			`user:`
			`name: "{{ item }}"`
			`shell: "/bin/bash"`
			`with_items: "{{ users }}"`

			`- name: "Add authorized keys"`
			`authorized_key:`
			`user: "{{ item }}"`
			`key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"`
			`with_items: "{{ users }}"`

Fix Debian10's shitty executables paths 2020-11-10 19:20:16 +01:00			`- name: Fix Debian10's shitty executables paths`
			`lineinfile:`
			`dest: /etc/environment`
			`line: 'PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"'`
			`state: present`
uptade fixing executables vars for deb11 2021-09-10 17:01:16 +02:00			`when: ansible_distribution == 'Debian' and ansible_distribution_major_version >= '10'`
Update 'common.yml' 2020-09-14 20:27:46 +02:00
first commit 2020-03-13 20:05:35 +01:00			`- name: create rules.v4`
			`blockinfile:`
			`create: yes`
			`state: present`
			`dest: "/scripts/rules.v4"`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK #"`
			`block: \|`
			`# Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019`
			`*filter`
			`:INPUT DROP [0:0]`
			`:FORWARD DROP [0:0]`
			`:OUTPUT ACCEPT [372:91728]`
			`:fail2ban-ssh - [0:0]`
			`-A INPUT -i lo -j ACCEPT`
			`-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh`
			`-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT`
			`-A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT`
second commit 2020-03-14 00:10:06 +01:00			`-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT`
first commit 2020-03-13 20:05:35 +01:00			`-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
			`-A INPUT -j DROP`
			`-A OUTPUT -o lo -j ACCEPT`
			`-A fail2ban-ssh -j RETURN`
			`COMMIT`
			`# Completed on Tue Nov 19 22:41:29 2019`

			`- name: create rules.v6`
			`blockinfile:`
			`create: yes`
			`state: present`
			`dest: "/scripts/rules.v6"`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK #"`
			`block: \|`
			`# Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019`
			`*filter`
			`:INPUT DROP [0:0]`
			`:FORWARD DROP [0:0]`
			`:OUTPUT DROP [0:0]`
			`COMMIT`
			`# Completed on Tue Nov 19 22:58:08 2019`

			`- name: reload iptables v4`
removed part of iptables command for compatibility 2020-03-19 18:43:51 +01:00			`action: shell /sbin/iptables-restore /scripts/rules.v4`
first commit 2020-03-13 20:05:35 +01:00
			`- name: reload iptables v4`
removed part of iptables command for compatibility 2020-03-19 18:43:51 +01:00			`action: shell /sbin/ip6tables-restore /scripts/rules.v6`
first commit 2020-03-13 20:05:35 +01:00
			`- name: save iptables v4 rules`
			`shell: iptables-save > /etc/iptables/rules.v4`

			`- name: save iptables v6 rules`
			`shell: ip6tables-save > /etc/iptables/rules.v6`


			`- name: "Copy file with owner and permissions"`
			`copy:`
			`backup: yes`
			`src: "{{ playbook_dir }}/repo/bashrc"`
			`dest: /root/.bashrc`
			`owner: root`
			`group: root`
			`mode: '0644'`

added support for lxc container by kipping sysctl tasks when in a container 2024-02-11 15:52:43 +01:00			`- name: "Register if we are running baremetal (none), virtualized (kvm) or container (lxc)"`
			`command: systemd-detect-virt`
			`register: systemd_detect_virt`

changed swappiness to 1 2022-10-14 19:02:28 +02:00			`# Set vm.swappiness to 1 in /etc/sysctl.conf`
added disabling of ipv6 2021-10-03 01:41:50 +02:00			`- name: "Set swappiness to zero in sysctl.conf"`
			`sysctl:`
fixed ssh_hardening function call 2021-10-03 01:24:11 +02:00			`name: vm.swappiness`
changed swappiness to 1 2022-10-14 19:02:28 +02:00			`value: '1'`
fixed ssh_hardening function call 2021-10-03 01:24:11 +02:00			`state: present`
added disabling of ipv6 2021-10-03 01:41:50 +02:00			`reload: yes`
fixed ssh_hardening function call 2021-10-03 01:24:11 +02:00			`sysctl_file: /etc/sysctl.conf`
added support for lxc container by kipping sysctl tasks when in a container 2024-02-11 15:52:43 +01:00			`when: systemd_detect_virt.stdout != "lxc"`

added nf_conntrack_max to sysctl 2022-08-21 01:49:25 +02:00			`- name: "Set nf_conntrack_max to 131072 in sysctl.conf, suitable for max 4gb of ram, conntrack_max = RAMSIZE (in bytes)/16384/2 = 4102410241024/16384/2 = 432768 = 131072"`
			`sysctl:`
			`name: net.netfilter.nf_conntrack_max`
			`value: '131072'`
			`state: present`
			`reload: yes`
			`sysctl_file: /etc/sysctl.conf`
Update 'common.yml' 2022-08-21 02:26:38 +02:00			`#source: https://support.huaweicloud.com/intl/en-us/trouble-ecs/ecs_trouble_0324.html`
added support for lxc container by kipping sysctl tasks when in a container 2024-02-11 15:52:43 +01:00			`when: systemd_detect_virt.stdout != "lxc"`
fixed ssh_hardening function call 2021-10-03 01:24:11 +02:00
added disabling of ipv6 2021-10-03 01:41:50 +02:00			`- name: Disable IPv6 with sysctl`
			`sysctl: name={{ item }} value=1 state=present reload=yes`
			`with_items:`
			`- net.ipv6.conf.all.disable_ipv6`
			`- net.ipv6.conf.default.disable_ipv6`
			`- net.ipv6.conf.lo.disable_ipv6`
added support for lxc container by kipping sysctl tasks when in a container 2024-02-11 15:52:43 +01:00			`when: systemd_detect_virt.stdout != "lxc"`
added disabling of ipv6 2021-10-03 01:41:50 +02:00
Update 'common.yml' 2022-12-27 19:41:06 +01:00			`- ansible.builtin.include_role:`
			`name: ssh_hardening`
added disable-iptables 2022-08-18 10:09:32 +02:00
			`- name: "copy iptables disable script to/scripts"`
			`copy:`
			`backup: yes`
			`src: "{{ playbook_dir }}/repo/disable_iptables.sh"`
			`dest: /scripts/disable_iptables.sh`
			`owner: root`
			`group: root`
			`mode: '0744'`