first commit

README.md

@@ -0,0 +1,40 @@
+PREREQUISITES:
+
+apt-get install -y ansible
+
+	echo "[thismachine]" >> /etc/ansible/hosts
+	echo "127.0.0.1" >> /etc/ansible/hosts
+
+
+SETUP:
+
+insert your user and key in:
+	common.yml
+in the list:
+	  vars:
+	    users:
+	      goofy
+
+and their ssh keys in the folder
+	keys
+in form of filename:
+	goofy.key.pub
+and format:
+	ssh-rsa [/CUT] user@host
+
+
+RUN DEFAULTS:
+
+	ansible-playbook common.yml
+
+
+
+
+
+GIT PUSH:
+	git add --all
+	git commit -m "added things to readme"
+	git push -u origin master
+
+or:
+	git add --all && git commit -m "message" && git push -u origin master

ansible/common.yml

@@ -0,0 +1,130 @@
+# playbook.yml:
+---
+- name: "common config"
+  hosts: thismachine
+  connection: local
+
+  vars:
+    users:
+    - panda
+
+  tasks:
+    - name: Set timezone to Europe/Rome
+      timezone:
+        name: Europe/Rome
+
+    - name: Update repositories cache
+      apt:
+        update_cache: yes
+
+    - name: Install a list of packages
+      apt:
+        pkg:
+        - htop
+        - iotop
+        - glances
+        - screen
+        - sysstat
+        - git
+        - nmap
+        - ntp
+        - tinc
+        - fail2ban
+        - iptables-persistent
+
+    - debug:
+        msg: The main interface is {{ ansible_default_ipv4.interface }}
+
+    - name: Create a directory if it does not exist
+      file:
+        path: /scripts
+        state: directory
+        mode: '0755'
+
+    - name: "Create user accounts and add users to groups"
+      user:
+        name: "{{ item }}"
+        shell: "/bin/bash"
+      with_items: "{{ users }}"
+
+    - name: "Add authorized keys"
+      authorized_key:
+        user: "{{ item }}"
+        key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
+      with_items: "{{ users }}"
+
+    - name: create rules.v4
+      blockinfile:
+        create: yes
+        state: present
+#        path: "/scripts/rules.v4"
+        dest: "/scripts/rules.v4"
+        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
+        block: |
+          # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
+          *filter
+          :INPUT DROP [0:0]
+          :FORWARD DROP [0:0]
+          :OUTPUT ACCEPT [372:91728]
+          :fail2ban-ssh - [0:0]
+          -A INPUT -i lo -j ACCEPT
+          -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
+          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
+          -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
+          -A INPUT -i vcn -p icmp -m icmp --icmp-type 8 -j ACCEPT
+          -A INPUT -s 172.20.1.125/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda blackfox" -j ACCEPT
+          -A INPUT -s 172.20.1.65/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda kiwi" -j ACCEPT
+          -A INPUT -s 172.20.1.90/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda scass1" -j ACCEPT
+          #-A INPUT -s 172.20.1.82/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment davide -j ACCEPT
+          #-A INPUT -s 172.20.1.15/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment encrypt -j ACCEPT
+          -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+          -A INPUT -j DROP
+          -A OUTPUT -o lo -j ACCEPT
+          -A fail2ban-ssh -j RETURN
+          COMMIT
+          # Completed on Tue Nov 19 22:41:29 2019
+
+    - name: create rules.v6
+      blockinfile:
+        create: yes
+        state: present
+#        path: "/scripts/rules.v4"
+        dest: "/scripts/rules.v6"
+        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
+        block: |
+          # Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
+          *filter
+          :INPUT DROP [0:0]
+          :FORWARD DROP [0:0]
+          :OUTPUT DROP [0:0]
+          COMMIT
+          # Completed on Tue Nov 19 22:58:08 2019
+
+    - name: reload iptables v4
+      action: shell /sbin/iptables-restore -! < /scripts/rules.v4
+
+    - name: reload iptables v4
+      action: shell /sbin/ip6tables-restore -! < /scripts/rules.v6
+
+    - name: save iptables v4 rules
+      shell: iptables-save > /etc/iptables/rules.v4
+
+    - name: save iptables v6 rules
+      shell: ip6tables-save > /etc/iptables/rules.v6
+
+
+    - name: "Copy file with owner and permissions"
+      copy:
+        backup: yes
+        src: "{{ playbook_dir }}/repo/bashrc"
+        dest: /root/.bashrc
+        owner: root
+        group: root
+        mode: '0644'
+
+
+- name: "ssh_hardening"
+  hosts: thismachine
+  connection: local
+  roles:
+    - ssh_hardening

ansible/keys/panda.key.pub

@@ -0,0 +1,2 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDggvHQafvmP/bTxL4N0ZllGYuHlOVH66iOmgI4FXbndfwhWXumVVWR7W24UTz1SWdfrakDvz87QY4F6mva4pVSNgXQtKCFYewSrCw5+hxF/iHncwYTAq6TJFfGEXtb1irJDEJAnatCINQqZD5vEXkogbansfMvhq0xnnbO0PeTb3QMAGr+2WtZhsUoLY60TQY3nKvTUIzNeCMZBrlNXZueyVTsldyLZY0izkP6c14UjzhrCJ9K0GrbquDyHHb2H3eBiDLknQkmiqWSemWWnZTE0NaJad+tI+yrORa7S5LeuIg1uD0xxkACz+oSIwg8TVDViOyFSUqQ5CoJnQlWKk6YWNyZiPkQSfNt4em/hrVNma6bCgFQaV/pYaRIhze+LkGRyHfC1eHGIK/NGNBYiHF0/sTOpDIFiFrTUXwo5L6J01hR1wu4hjLgRPWteMaPtp6z6ujrTxQo/U1a6b3nKiMzBor4engCsDxJ2ulpy9kRmy5YcEz4+hzmAfI2EcnJALXR2QAGrp5ZYqG7u1aNmzU5P4L78ypJ3q5NWKkUR+RhyNwwb1/BRGhzn4tadjO3Ft0G4LxxTMShWnDBA8N7+WtexP92LuJZm7jPdPC2nF9i5TQInFBNxTzvl3Pk7/ckqUjPXxM57O6ykLuF3FMO6oBPEhGdkddSwNBPUA1oIEmu/w== gino@hl
+

ansible/lldp.retry

@@ -0,0 +1 @@
+127.0.0.1

ansible/lldp.yml

@@ -0,0 +1,8 @@
+# playbook.yml:
+--- 
+
+- name: "lldp"
+  hosts: thismachine
+  connection: local
+  roles:
+    - lldp

ansible/repo/bashrc

@@ -0,0 +1,116 @@
+# ~/.bashrc: executed by bash(1) for non-login shells.
+# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
+# for examples
+
+# If not running interactively, don't do anything
+case $- in
+    *i*) ;;
+      *) return;;
+esac
+
+# don't put duplicate lines or lines starting with space in the history.
+# See bash(1) for more options
+HISTCONTROL=ignoreboth
+
+# append to the history file, don't overwrite it
+shopt -s histappend
+
+# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
+HISTSIZE=999999
+HISTFILESIZE=200000
+
+# check the window size after each command and, if necessary,
+# update the values of LINES and COLUMNS.
+shopt -s checkwinsize
+
+# If set, the pattern "**" used in a pathname expansion context will
+# match all files and zero or more directories and subdirectories.
+#shopt -s globstar
+
+# make less more friendly for non-text input files, see lesspipe(1)
+#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
+
+# set variable identifying the chroot you work in (used in the prompt below)
+if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
+    debian_chroot=$(cat /etc/debian_chroot)
+fi
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+    xterm-color) color_prompt=yes;;
+esac
+
+# uncomment for a colored prompt, if the terminal has the capability; turned
+# off by default to not distract the user: the focus in a terminal window
+# should be on the output of commands, not on the prompt
+#force_color_prompt=yes
+
+if [ -n "$force_color_prompt" ]; then
+    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+	# We have color support; assume it's compliant with Ecma-48
+	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
+	# a case would tend to support setf rather than setaf.)
+	color_prompt=yes
+    else
+	color_prompt=
+    fi
+fi
+
+if [ "$color_prompt" = yes ]; then
+    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+else
+    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+fi
+unset color_prompt force_color_prompt
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+    ;;
+*)
+    ;;
+esac
+
+# enable color support of ls and also add handy aliases
+if [ -x /usr/bin/dircolors ]; then
+    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+    alias ls='ls --color=auto'
+    #alias dir='dir --color=auto'
+    #alias vdir='vdir --color=auto'
+
+    #alias grep='grep --color=auto'
+    #alias fgrep='fgrep --color=auto'
+    #alias egrep='egrep --color=auto'
+fi
+
+# some more ls aliases
+alias ll='ls -lahs --color=auto'
+#alias la='ls -A'
+#alias l='ls -CF'
+
+# Alias definitions.
+# You may want to put all your additions into a separate file like
+# ~/.bash_aliases, instead of adding them here directly.
+# See /usr/share/doc/bash-doc/examples in the bash-doc package.
+
+if [ -f ~/.bash_aliases ]; then
+    . ~/.bash_aliases
+fi
+
+# enable programmable completion features (you don't need to enable
+# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
+# sources /etc/bash.bashrc).
+if ! shopt -oq posix; then
+  if [ -f /usr/share/bash-completion/bash_completion ]; then
+    . /usr/share/bash-completion/bash_completion
+  elif [ -f /etc/bash_completion ]; then
+    . /etc/bash_completion
+  fi
+fi
+
+HISTTIMEFORMAT="%Y-%m-%d_%T - "
+export PS1="\[\e[00;37m\]\t_\[\e[0m\]\[\e[00;33m\]\u\[\e[0m\]\[\e[00;37m\]@\[\e[0m\]\[\e[01;31m\]\h\[\e[0m\]\[\e[00;37m\]:\[\e[0m\]\[\e[00;36m\][\w]:\\$\[\e[0m\]\[\e[00;37m\]\[\e[0m\]"
+
+cd ~
+

ansible/repo/telegraf_settings

@@ -0,0 +1,16 @@
+telegraf now installed, edit /etc/telegraf/telegraf.conf adding:
+
+[[outputs.influxdb]]
+  urls = ["http://SERVER:PORT"]
+  database = "DB"
+  username = "USER"
+  password = "PASS"
+
+
+and restart it
+
+just
+
+cat repo/telegraf_settings
+
+for all the info not garbled

ansible/repo/transmission_settings

@@ -0,0 +1,74 @@
+{
+    "alt-speed-down": 1215751, 
+    "alt-speed-enabled": true, 
+    "alt-speed-time-begin": 90, 
+    "alt-speed-time-day": 127, 
+    "alt-speed-time-enabled": false, 
+    "alt-speed-time-end": 420, 
+    "alt-speed-up": 3567586, 
+    "bind-address-ipv4": "0.0.0.0", 
+    "bind-address-ipv6": "::", 
+    "blocklist-enabled": true, 
+    "blocklist-url": "http://john.bitsurge.net/public/biglist.p2p.gz", 
+    "cache-size-mb": 4, 
+    "dht-enabled": true, 
+    "download-dir": "/data/torrents/", 
+    "download-limit": 100, 
+    "download-limit-enabled": 0, 
+    "download-queue-enabled": false, 
+    "download-queue-size": 5, 
+    "encryption": 2, 
+    "idle-seeding-limit": 30, 
+    "idle-seeding-limit-enabled": false, 
+    "incomplete-dir": "/data/torrents/_incomplete/", 
+    "incomplete-dir-enabled": true, 
+    "lpd-enabled": true, 
+    "max-peers-global": 200, 
+    "message-level": 1, 
+    "peer-congestion-algorithm": "", 
+    "peer-id-ttl-hours": 6, 
+    "peer-limit-global": 16959, 
+    "peer-limit-per-torrent": 9999, 
+    "peer-port": 51413, 
+    "peer-port-random-high": 65535, 
+    "peer-port-random-low": 49152, 
+    "peer-port-random-on-start": false, 
+    "peer-socket-tos": "default", 
+    "pex-enabled": true, 
+    "port-forwarding-enabled": false, 
+    "preallocation": 1, 
+    "prefetch-enabled": 1, 
+    "queue-stalled-enabled": true, 
+    "queue-stalled-minutes": 30, 
+    "ratio-limit": 2, 
+    "ratio-limit-enabled": false, 
+    "rename-partial-files": true, 
+    "rpc-authentication-required": true, 
+    "rpc-bind-address": "0.0.0.0", 
+    "rpc-enabled": true, 
+    "rpc-password": "{8ed7b18864b8eba7ea5aa5b5df1ef3c7494f9c7fm7lsHLa0", 
+    "rpc-port": 9091, 
+    "rpc-url": "/transmission/", 
+    "rpc-username": "transmission", 
+    "rpc-whitelist": "0.0.0.0", 
+    "rpc-whitelist-enabled": false, 
+    "scrape-paused-torrents-enabled": true, 
+    "script-torrent-done-enabled": false, 
+    "script-torrent-done-filename": "", 
+    "seed-queue-enabled": false, 
+    "seed-queue-size": 10, 
+    "speed-limit-down": 20000, 
+    "speed-limit-down-enabled": true, 
+    "speed-limit-up": 1020, 
+    "speed-limit-up-enabled": true, 
+    "start-added-torrents": true, 
+    "trash-original-torrent-files": true, 
+    "umask": 18, 
+    "upload-limit": 100, 
+    "upload-limit-enabled": 0, 
+    "upload-slots-per-torrent": 14, 
+    "utp-enabled": true, 
+    "watch-dir": "/data/torrents/_watchdir/", 
+    "watch-dir-enabled": true
+}
+

ansible/roles/lldp/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Install lldpd
+  apt:
+    pkg:
+    - lldpd
+
+- name: stop transmission
+  systemd:
+    state: stopped
+    name: lldpd
+
+- name: memorize hostname variable
+  shell: hostname
+  register: hostname
+
+- set_fact: 
+    hostname={{ hostname.stdout }}
+
+- name: Add a line to a file if the file does not exist, without passing regexp
+  lineinfile:
+#    path: /etc/lldpd.d/hostname.conf
+    destfile: /etc/lldpd.d/hostname.conf
+    line: configure system description {{ hostname }}
+    create: yes
+    state: present
+
+- name: stop transmission
+  systemd:
+    state: started
+    name: lldpd

ansible/roles/ssh_hardening/tasks/main.yml

@@ -0,0 +1,13 @@
+- name: Password based logins are disabled - only public key based logins are allowed.
+  lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey'
+- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no'
+- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no'
+- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes'
+- lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No'
+
+- name: restart sshd
+  systemd:
+    state: restarted
+    daemon_reload: yes
+    name: sshd
+

ansible/roles/telegraf/tasks/main.yml

@@ -0,0 +1,73 @@
+- name: Install telegraf prerequsistes
+  apt:
+    pkg:
+    - apt-transport-https
+    - curl
+
+- name: Add influx repo key
+  shell: curl -sL https://repos.influxdata.com/influxdb.key | apt-key add -
+
+#- name: Check system version
+#  shell: source /etc/os-release
+#  args:
+#     executable: /bin/bash
+#
+#- set_fact: VERSION_ID="{{ lookup('env','VERSION_ID') }}"
+
+- name: memorize debian version variable
+  shell: cat /etc/debian_version | cut -d. -f1
+  register: debian_version
+
+- set_fact:
+    debian_version={{ debian_version.stdout }}
+
+- name: add repo for debian 7
+  when: "{{ debian_version }} == 7"
+  shell: echo "deb https://repos.influxdata.com/debian wheezy stable" | tee /etc/apt/sources.list.d/influxdb.list
+
+- name: add repo for debian 8
+  when: "{{ debian_version }} == 8"
+  shell: echo "deb https://repos.influxdata.com/debian jessie stable" | tee /etc/apt/sources.list.d/influxdb.list
+
+- name: add repo for debian 9
+  when: "{{ debian_version }} == 9"
+  shell: echo "deb https://repos.influxdata.com/debian stretch stable" | tee /etc/apt/sources.list.d/influxdb.list
+
+- name: Update repositories cache
+  apt:
+    update_cache: yes
+
+- name: telegraf
+  apt:
+    pkg:
+    - telegraf
+
+- name: create telegraf basic config
+  shell: telegraf -sample-config -input-filter cpu:mem:swap:net:netstat:disk:diskio:docker:system:processes:kernel:sysstat:conntrack:nstat:iptables:sensors -output-filter influxdb > /etc/telegraf/telegraf.conf
+
+- name: restart telegraf
+  systemd:
+    state: restarted
+    name: telegraf
+
+- name: restart telegraf
+  systemd:
+    enabled: yes
+    name: telegraf
+
+#- name: display public key
+#  vars:
+#  debug: 
+#    msg:
+#      - 'telegraf now installed, edit /etc/telegraf/telegraf.conf adding:'
+#      - '[[outputs.influxdb]]'
+#      - '  urls = ["http://172.20.1.168:8086"]'
+#      - '  database = "telegraf_vcn_int"'
+#      - '  username = "telegraf_akari"'
+#      - '  password = "FCw7izWVan8cnh3upuwxtn15pnlhjWY2"'
+
+- name: display help next steps
+  vars:
+     contents: "{{ lookup('file', 'repo/telegraf_settings') }}"
+  debug: msg="{{ contents.split('\n') }}"
+

ansible/roles/transmission/tasks/main.yml

@@ -0,0 +1,57 @@
+- name: Install transmission
+  apt:
+    pkg:
+    - transmission-daemon
+
+- name: stop transmission
+  systemd:
+    state: stopped
+    name: transmission-daemon
+
+
+- name: "Copy file with owner and permissions"
+  copy:
+    backup: yes
+    src: "{{ playbook_dir }}/repo/transmission_settings"
+    dest: /etc/transmission-daemon/settings.json
+    owner: debian-transmission
+    group: debian-transmission
+    mode: '0600'
+
+- name: Create dir /data
+  file:
+    path: /data
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Create dir /data/torrents
+  file:
+    path: /data/torrents
+    state: directory
+    owner: debian-transmission
+    group: debian-transmission
+    mode: '0755'
+
+- name: Create dir /data/torrents/_incomplete
+  file:
+    path: /data/torrents/_incomplete
+    state: directory
+    owner: debian-transmission
+    group: debian-transmission
+    mode: '0755'
+
+- name: Create dir /data/torrents/_watchdir
+  file:
+    path: /data/torrents/_watchdir
+    state: directory
+    owner: debian-transmission
+    group: debian-transmission
+    mode: '0755'
+
+- name: restart transmission
+  systemd:
+    state: restarted
+    daemon_reload: yes
+    name: transmission-daemon

ansible/roles/vcn/tasks/main.yml

@@ -0,0 +1,13 @@
+- name: create vcn folder
+  file:
+    path: /etc/tinc/vcn
+    state: directory
+    mode: '0700'
+
+- name: create keys
+  shell: tincd -n vcn -K4096
+
+- name: display public key
+  vars:
+     contents: "{{ lookup('file', '/etc/tinc/vcn/rsa_key.pub') }}"
+  debug: msg="vcn public key is {{ contents }}"

ansible/telegraf.retry

@@ -0,0 +1 @@
+127.0.0.1

ansible/telegraf.yml

@@ -0,0 +1,9 @@
+# playbook.yml:
+--- 
+
+- name: "telegraf"
+  hosts: thismachine
+  connection: local
+  roles:
+    - telegraf
+    

ansible/to_add.txt

@@ -0,0 +1,8 @@
+vcn:
+nano /lib/systemd/system/tinc@.service
+
+ExecStart=/usr/sbin/tincd -n %i -D --logfile
+ExecReload=/usr/sbin/tincd -n %i -kHUP --logfile
+
+
+systemctl restart tinc@vcn

ansible/transmission.yml

@@ -0,0 +1,8 @@
+# playbook.yml:
+--- 
+
+- name: "transmission"
+  hosts: thismachine
+  connection: local
+  roles:
+    - transmission

ansible/vcn.yml

@@ -0,0 +1,9 @@
+# playbook.yml:
+--- 
+
+- name: "vcn"
+  hosts: thismachine
+  connection: local
+  roles:
+    - vcn
+    

common.yml

@@ -0,0 +1,130 @@
+# playbook.yml:
+---
+- name: "common config"
+  hosts: thismachine
+  connection: local
+
+  vars:
+    users:
+    - panda
+
+  tasks:
+    - name: Set timezone to Europe/Rome
+      timezone:
+        name: Europe/Rome
+
+    - name: Update repositories cache
+      apt:
+        update_cache: yes
+
+    - name: Install a list of packages
+      apt:
+        pkg:
+        - htop
+        - iotop
+        - glances
+        - screen
+        - sysstat
+        - git
+        - nmap
+        - ntp
+        - tinc
+        - fail2ban
+        - iptables-persistent
+
+    - debug:
+        msg: The main interface is {{ ansible_default_ipv4.interface }}
+
+    - name: Create a directory if it does not exist
+      file:
+        path: /scripts
+        state: directory
+        mode: '0755'
+
+    - name: "Create user accounts and add users to groups"
+      user:
+        name: "{{ item }}"
+        shell: "/bin/bash"
+      with_items: "{{ users }}"
+
+    - name: "Add authorized keys"
+      authorized_key:
+        user: "{{ item }}"
+        key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
+      with_items: "{{ users }}"
+
+    - name: create rules.v4
+      blockinfile:
+        create: yes
+        state: present
+#        path: "/scripts/rules.v4"
+        dest: "/scripts/rules.v4"
+        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
+        block: |
+          # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
+          *filter
+          :INPUT DROP [0:0]
+          :FORWARD DROP [0:0]
+          :OUTPUT ACCEPT [372:91728]
+          :fail2ban-ssh - [0:0]
+          -A INPUT -i lo -j ACCEPT
+          -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
+          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
+          -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
+          -A INPUT -i vcn -p icmp -m icmp --icmp-type 8 -j ACCEPT
+          -A INPUT -s 172.20.1.125/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda blackfox" -j ACCEPT
+          -A INPUT -s 172.20.1.65/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda kiwi" -j ACCEPT
+          -A INPUT -s 172.20.1.90/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda scass1" -j ACCEPT
+          #-A INPUT -s 172.20.1.82/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment davide -j ACCEPT
+          #-A INPUT -s 172.20.1.15/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment encrypt -j ACCEPT
+          -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+          -A INPUT -j DROP
+          -A OUTPUT -o lo -j ACCEPT
+          -A fail2ban-ssh -j RETURN
+          COMMIT
+          # Completed on Tue Nov 19 22:41:29 2019
+
+    - name: create rules.v6
+      blockinfile:
+        create: yes
+        state: present
+#        path: "/scripts/rules.v4"
+        dest: "/scripts/rules.v6"
+        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
+        block: |
+          # Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
+          *filter
+          :INPUT DROP [0:0]
+          :FORWARD DROP [0:0]
+          :OUTPUT DROP [0:0]
+          COMMIT
+          # Completed on Tue Nov 19 22:58:08 2019
+
+    - name: reload iptables v4
+      action: shell /sbin/iptables-restore -! < /scripts/rules.v4
+
+    - name: reload iptables v4
+      action: shell /sbin/ip6tables-restore -! < /scripts/rules.v6
+
+    - name: save iptables v4 rules
+      shell: iptables-save > /etc/iptables/rules.v4
+
+    - name: save iptables v6 rules
+      shell: ip6tables-save > /etc/iptables/rules.v6
+
+
+    - name: "Copy file with owner and permissions"
+      copy:
+        backup: yes
+        src: "{{ playbook_dir }}/repo/bashrc"
+        dest: /root/.bashrc
+        owner: root
+        group: root
+        mode: '0644'
+
+
+- name: "ssh_hardening"
+  hosts: thismachine
+  connection: local
+  roles:
+    - ssh_hardening

hosts

@@ -0,0 +1,47 @@
+# This is the default ansible 'hosts' file.
+#
+# It should live in /etc/ansible/hosts
+#
+#   - Comments begin with the '#' character
+#   - Blank lines are ignored
+#   - Groups of hosts are delimited by [header] elements
+#   - You can enter hostnames or ip addresses
+#   - A hostname/ip can be a member of multiple groups
+
+# Ex 1: Ungrouped hosts, specify before any group headers.
+
+#green.example.com
+#blue.example.com
+#192.168.100.1
+#192.168.100.10
+
+# Ex 2: A collection of hosts belonging to the 'webservers' group
+
+#[webservers]
+#alpha.example.org
+#beta.example.org
+#192.168.1.100
+#192.168.1.110
+
+# If you have multiple hosts following a pattern you can specify
+# them like this:
+
+#www[001:006].example.com
+
+# Ex 3: A collection of database servers in the 'dbservers' group
+
+#[dbservers]
+#
+#db01.intranet.mydomain.net
+#db02.intranet.mydomain.net
+#10.25.1.56
+#10.25.1.57
+
+# Here's another example of host ranges, this time there are no
+# leading 0s:
+
+#db-[99:101]-node.example.com
+
+
+[thismachine]
+127.0.0.1

keys/panda.key.pub

@@ -0,0 +1,2 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDggvHQafvmP/bTxL4N0ZllGYuHlOVH66iOmgI4FXbndfwhWXumVVWR7W24UTz1SWdfrakDvz87QY4F6mva4pVSNgXQtKCFYewSrCw5+hxF/iHncwYTAq6TJFfGEXtb1irJDEJAnatCINQqZD5vEXkogbansfMvhq0xnnbO0PeTb3QMAGr+2WtZhsUoLY60TQY3nKvTUIzNeCMZBrlNXZueyVTsldyLZY0izkP6c14UjzhrCJ9K0GrbquDyHHb2H3eBiDLknQkmiqWSemWWnZTE0NaJad+tI+yrORa7S5LeuIg1uD0xxkACz+oSIwg8TVDViOyFSUqQ5CoJnQlWKk6YWNyZiPkQSfNt4em/hrVNma6bCgFQaV/pYaRIhze+LkGRyHfC1eHGIK/NGNBYiHF0/sTOpDIFiFrTUXwo5L6J01hR1wu4hjLgRPWteMaPtp6z6ujrTxQo/U1a6b3nKiMzBor4engCsDxJ2ulpy9kRmy5YcEz4+hzmAfI2EcnJALXR2QAGrp5ZYqG7u1aNmzU5P4L78ypJ3q5NWKkUR+RhyNwwb1/BRGhzn4tadjO3Ft0G4LxxTMShWnDBA8N7+WtexP92LuJZm7jPdPC2nF9i5TQInFBNxTzvl3Pk7/ckqUjPXxM57O6ykLuF3FMO6oBPEhGdkddSwNBPUA1oIEmu/w== gino@hl
+

lldp.yml

@@ -0,0 +1,8 @@
+# playbook.yml:
+--- 
+
+- name: "lldp"
+  hosts: thismachine
+  connection: local
+  roles:
+    - lldp

repo/bashrc

@@ -0,0 +1,116 @@
+# ~/.bashrc: executed by bash(1) for non-login shells.
+# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
+# for examples
+
+# If not running interactively, don't do anything
+case $- in
+    *i*) ;;
+      *) return;;
+esac
+
+# don't put duplicate lines or lines starting with space in the history.
+# See bash(1) for more options
+HISTCONTROL=ignoreboth
+
+# append to the history file, don't overwrite it
+shopt -s histappend
+
+# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
+HISTSIZE=999999
+HISTFILESIZE=200000
+
+# check the window size after each command and, if necessary,
+# update the values of LINES and COLUMNS.
+shopt -s checkwinsize
+
+# If set, the pattern "**" used in a pathname expansion context will
+# match all files and zero or more directories and subdirectories.
+#shopt -s globstar
+
+# make less more friendly for non-text input files, see lesspipe(1)
+#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
+
+# set variable identifying the chroot you work in (used in the prompt below)
+if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
+    debian_chroot=$(cat /etc/debian_chroot)
+fi
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+    xterm-color) color_prompt=yes;;
+esac
+
+# uncomment for a colored prompt, if the terminal has the capability; turned
+# off by default to not distract the user: the focus in a terminal window
+# should be on the output of commands, not on the prompt
+#force_color_prompt=yes
+
+if [ -n "$force_color_prompt" ]; then
+    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+	# We have color support; assume it's compliant with Ecma-48
+	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
+	# a case would tend to support setf rather than setaf.)
+	color_prompt=yes
+    else
+	color_prompt=
+    fi
+fi
+
+if [ "$color_prompt" = yes ]; then
+    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+else
+    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+fi
+unset color_prompt force_color_prompt
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+    ;;
+*)
+    ;;
+esac
+
+# enable color support of ls and also add handy aliases
+if [ -x /usr/bin/dircolors ]; then
+    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+    alias ls='ls --color=auto'
+    #alias dir='dir --color=auto'
+    #alias vdir='vdir --color=auto'
+
+    #alias grep='grep --color=auto'
+    #alias fgrep='fgrep --color=auto'
+    #alias egrep='egrep --color=auto'
+fi
+
+# some more ls aliases
+alias ll='ls -lahs --color=auto'
+#alias la='ls -A'
+#alias l='ls -CF'
+
+# Alias definitions.
+# You may want to put all your additions into a separate file like
+# ~/.bash_aliases, instead of adding them here directly.
+# See /usr/share/doc/bash-doc/examples in the bash-doc package.
+
+if [ -f ~/.bash_aliases ]; then
+    . ~/.bash_aliases
+fi
+
+# enable programmable completion features (you don't need to enable
+# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
+# sources /etc/bash.bashrc).
+if ! shopt -oq posix; then
+  if [ -f /usr/share/bash-completion/bash_completion ]; then
+    . /usr/share/bash-completion/bash_completion
+  elif [ -f /etc/bash_completion ]; then
+    . /etc/bash_completion
+  fi
+fi
+
+HISTTIMEFORMAT="%Y-%m-%d_%T - "
+export PS1="\[\e[00;37m\]\t_\[\e[0m\]\[\e[00;33m\]\u\[\e[0m\]\[\e[00;37m\]@\[\e[0m\]\[\e[01;31m\]\h\[\e[0m\]\[\e[00;37m\]:\[\e[0m\]\[\e[00;36m\][\w]:\\$\[\e[0m\]\[\e[00;37m\]\[\e[0m\]"
+
+cd ~
+

repo/telegraf_settings

@@ -0,0 +1,16 @@
+telegraf now installed, edit /etc/telegraf/telegraf.conf adding:
+
+[[outputs.influxdb]]
+  urls = ["http://SERVER:PORT"]
+  database = "DB"
+  username = "USER"
+  password = "PASS"
+
+
+and restart it
+
+just
+
+cat repo/telegraf_settings
+
+for all the info not garbled

repo/transmission_settings

@@ -0,0 +1,74 @@
+{
+    "alt-speed-down": 1215751, 
+    "alt-speed-enabled": true, 
+    "alt-speed-time-begin": 90, 
+    "alt-speed-time-day": 127, 
+    "alt-speed-time-enabled": false, 
+    "alt-speed-time-end": 420, 
+    "alt-speed-up": 3567586, 
+    "bind-address-ipv4": "0.0.0.0", 
+    "bind-address-ipv6": "::", 
+    "blocklist-enabled": true, 
+    "blocklist-url": "http://john.bitsurge.net/public/biglist.p2p.gz", 
+    "cache-size-mb": 4, 
+    "dht-enabled": true, 
+    "download-dir": "/data/torrents/", 
+    "download-limit": 100, 
+    "download-limit-enabled": 0, 
+    "download-queue-enabled": false, 
+    "download-queue-size": 5, 
+    "encryption": 2, 
+    "idle-seeding-limit": 30, 
+    "idle-seeding-limit-enabled": false, 
+    "incomplete-dir": "/data/torrents/_incomplete/", 
+    "incomplete-dir-enabled": true, 
+    "lpd-enabled": true, 
+    "max-peers-global": 200, 
+    "message-level": 1, 
+    "peer-congestion-algorithm": "", 
+    "peer-id-ttl-hours": 6, 
+    "peer-limit-global": 16959, 
+    "peer-limit-per-torrent": 9999, 
+    "peer-port": 51413, 
+    "peer-port-random-high": 65535, 
+    "peer-port-random-low": 49152, 
+    "peer-port-random-on-start": false, 
+    "peer-socket-tos": "default", 
+    "pex-enabled": true, 
+    "port-forwarding-enabled": false, 
+    "preallocation": 1, 
+    "prefetch-enabled": 1, 
+    "queue-stalled-enabled": true, 
+    "queue-stalled-minutes": 30, 
+    "ratio-limit": 2, 
+    "ratio-limit-enabled": false, 
+    "rename-partial-files": true, 
+    "rpc-authentication-required": true, 
+    "rpc-bind-address": "0.0.0.0", 
+    "rpc-enabled": true, 
+    "rpc-password": "{8ed7b18864b8eba7ea5aa5b5df1ef3c7494f9c7fm7lsHLa0", 
+    "rpc-port": 9091, 
+    "rpc-url": "/transmission/", 
+    "rpc-username": "transmission", 
+    "rpc-whitelist": "0.0.0.0", 
+    "rpc-whitelist-enabled": false, 
+    "scrape-paused-torrents-enabled": true, 
+    "script-torrent-done-enabled": false, 
+    "script-torrent-done-filename": "", 
+    "seed-queue-enabled": false, 
+    "seed-queue-size": 10, 
+    "speed-limit-down": 20000, 
+    "speed-limit-down-enabled": true, 
+    "speed-limit-up": 1020, 
+    "speed-limit-up-enabled": true, 
+    "start-added-torrents": true, 
+    "trash-original-torrent-files": true, 
+    "umask": 18, 
+    "upload-limit": 100, 
+    "upload-limit-enabled": 0, 
+    "upload-slots-per-torrent": 14, 
+    "utp-enabled": true, 
+    "watch-dir": "/data/torrents/_watchdir/", 
+    "watch-dir-enabled": true
+}
+

roles/lldp/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Install lldpd
+  apt:
+    pkg:
+    - lldpd
+
+- name: stop transmission
+  systemd:
+    state: stopped
+    name: lldpd
+
+- name: memorize hostname variable
+  shell: hostname
+  register: hostname
+
+- set_fact: 
+    hostname={{ hostname.stdout }}
+
+- name: Add a line to a file if the file does not exist, without passing regexp
+  lineinfile:
+#    path: /etc/lldpd.d/hostname.conf
+    destfile: /etc/lldpd.d/hostname.conf
+    line: configure system description {{ hostname }}
+    create: yes
+    state: present
+
+- name: stop transmission
+  systemd:
+    state: started
+    name: lldpd

roles/ssh_hardening/tasks/main.yml

@@ -0,0 +1,13 @@
+- name: Password based logins are disabled - only public key based logins are allowed.
+  lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey'
+- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no'
+- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no'
+- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes'
+- lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No'
+
+- name: restart sshd
+  systemd:
+    state: restarted
+    daemon_reload: yes
+    name: sshd
+

roles/telegraf/tasks/main.yml

@@ -0,0 +1,73 @@
+- name: Install telegraf prerequsistes
+  apt:
+    pkg:
+    - apt-transport-https
+    - curl
+
+- name: Add influx repo key
+  shell: curl -sL https://repos.influxdata.com/influxdb.key | apt-key add -
+
+#- name: Check system version
+#  shell: source /etc/os-release
+#  args:
+#     executable: /bin/bash
+#
+#- set_fact: VERSION_ID="{{ lookup('env','VERSION_ID') }}"
+
+- name: memorize debian version variable
+  shell: cat /etc/debian_version | cut -d. -f1
+  register: debian_version
+
+- set_fact:
+    debian_version={{ debian_version.stdout }}
+
+- name: add repo for debian 7
+  when: "{{ debian_version }} == 7"
+  shell: echo "deb https://repos.influxdata.com/debian wheezy stable" | tee /etc/apt/sources.list.d/influxdb.list
+
+- name: add repo for debian 8
+  when: "{{ debian_version }} == 8"
+  shell: echo "deb https://repos.influxdata.com/debian jessie stable" | tee /etc/apt/sources.list.d/influxdb.list
+
+- name: add repo for debian 9
+  when: "{{ debian_version }} == 9"
+  shell: echo "deb https://repos.influxdata.com/debian stretch stable" | tee /etc/apt/sources.list.d/influxdb.list
+
+- name: Update repositories cache
+  apt:
+    update_cache: yes
+
+- name: telegraf
+  apt:
+    pkg:
+    - telegraf
+
+- name: create telegraf basic config
+  shell: telegraf -sample-config -input-filter cpu:mem:swap:net:netstat:disk:diskio:docker:system:processes:kernel:sysstat:conntrack:nstat:iptables:sensors -output-filter influxdb > /etc/telegraf/telegraf.conf
+
+- name: restart telegraf
+  systemd:
+    state: restarted
+    name: telegraf
+
+- name: restart telegraf
+  systemd:
+    enabled: yes
+    name: telegraf
+
+#- name: display public key
+#  vars:
+#  debug: 
+#    msg:
+#      - 'telegraf now installed, edit /etc/telegraf/telegraf.conf adding:'
+#      - '[[outputs.influxdb]]'
+#      - '  urls = ["http://172.20.1.168:8086"]'
+#      - '  database = "telegraf_vcn_int"'
+#      - '  username = "telegraf_akari"'
+#      - '  password = "FCw7izWVan8cnh3upuwxtn15pnlhjWY2"'
+
+- name: display help next steps
+  vars:
+     contents: "{{ lookup('file', 'repo/telegraf_settings') }}"
+  debug: msg="{{ contents.split('\n') }}"
+

roles/transmission/tasks/main.yml

@@ -0,0 +1,57 @@
+- name: Install transmission
+  apt:
+    pkg:
+    - transmission-daemon
+
+- name: stop transmission
+  systemd:
+    state: stopped
+    name: transmission-daemon
+
+
+- name: "Copy file with owner and permissions"
+  copy:
+    backup: yes
+    src: "{{ playbook_dir }}/repo/transmission_settings"
+    dest: /etc/transmission-daemon/settings.json
+    owner: debian-transmission
+    group: debian-transmission
+    mode: '0600'
+
+- name: Create dir /data
+  file:
+    path: /data
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Create dir /data/torrents
+  file:
+    path: /data/torrents
+    state: directory
+    owner: debian-transmission
+    group: debian-transmission
+    mode: '0755'
+
+- name: Create dir /data/torrents/_incomplete
+  file:
+    path: /data/torrents/_incomplete
+    state: directory
+    owner: debian-transmission
+    group: debian-transmission
+    mode: '0755'
+
+- name: Create dir /data/torrents/_watchdir
+  file:
+    path: /data/torrents/_watchdir
+    state: directory
+    owner: debian-transmission
+    group: debian-transmission
+    mode: '0755'
+
+- name: restart transmission
+  systemd:
+    state: restarted
+    daemon_reload: yes
+    name: transmission-daemon

roles/vcn/tasks/main.yml

@@ -0,0 +1,13 @@
+- name: create vcn folder
+  file:
+    path: /etc/tinc/vcn
+    state: directory
+    mode: '0700'
+
+- name: create keys
+  shell: tincd -n vcn -K4096
+
+- name: display public key
+  vars:
+     contents: "{{ lookup('file', '/etc/tinc/vcn/rsa_key.pub') }}"
+  debug: msg="vcn public key is {{ contents }}"

telegraf.yml

@@ -0,0 +1,9 @@
+# playbook.yml:
+--- 
+
+- name: "telegraf"
+  hosts: thismachine
+  connection: local
+  roles:
+    - telegraf
+    

to_add.txt

@@ -0,0 +1,8 @@
+vcn:
+nano /lib/systemd/system/tinc@.service
+
+ExecStart=/usr/sbin/tincd -n %i -D --logfile
+ExecReload=/usr/sbin/tincd -n %i -kHUP --logfile
+
+
+systemctl restart tinc@vcn

transmission.yml

@@ -0,0 +1,8 @@
+# playbook.yml:
+--- 
+
+- name: "transmission"
+  hosts: thismachine
+  connection: local
+  roles:
+    - transmission

vcn.yml

@@ -0,0 +1,9 @@
+# playbook.yml:
+--- 
+
+- name: "vcn"
+  hosts: thismachine
+  connection: local
+  roles:
+    - vcn
+