panda/Ansible_PUBLIC
1
1
Fork 0
Code Issues 3 Pull requests Releases Wiki Activity

first commit

Browse source
This commit is contained in:
panda 2020-03-13 20:05:35 +01:00
commit 0016da9fed
34 changed files with 1219 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
README.md Normal file
View file

@ -0,0 +1,40 @@
PREREQUISITES:
apt-get install -y ansible
echo "[thismachine]" >> /etc/ansible/hosts
echo "127.0.0.1" >> /etc/ansible/hosts
SETUP:
insert your user and key in:
common.yml
in the list:
vars:
users:
goofy
and their ssh keys in the folder
keys
in form of filename:
goofy.key.pub
and format:
ssh-rsa [/CUT] user@host
RUN DEFAULTS:
ansible-playbook common.yml
GIT PUSH:
git add --all
git commit -m "added things to readme"
git push -u origin master
or:
git add --all && git commit -m "message" && git push -u origin master

130
ansible/common.yml Normal file
View file

@ -0,0 +1,130 @@
# playbook.yml:
---
- name: "common config"
hosts: thismachine
connection: local
vars:
users:
- panda
tasks:
- name: Set timezone to Europe/Rome
timezone:
name: Europe/Rome
- name: Update repositories cache
apt:
update_cache: yes
- name: Install a list of packages
apt:
pkg:
- htop
- iotop
- glances
- screen
- sysstat
- git
- nmap
- ntp
- tinc
- fail2ban
- iptables-persistent
- debug:
msg: The main interface is {{ ansible_default_ipv4.interface }}
- name: Create a directory if it does not exist
file:
path: /scripts
state: directory
mode: '0755'
- name: "Create user accounts and add users to groups"
user:
name: "{{ item }}"
shell: "/bin/bash"
with_items: "{{ users }}"
- name: "Add authorized keys"
authorized_key:
user: "{{ item }}"
key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
with_items: "{{ users }}"
- name: create rules.v4
blockinfile:
create: yes
state: present
# path: "/scripts/rules.v4"
dest: "/scripts/rules.v4"
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
block: |
# Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [372:91728]
:fail2ban-ssh - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i vcn -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 172.20.1.125/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda blackfox" -j ACCEPT
-A INPUT -s 172.20.1.65/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda kiwi" -j ACCEPT
-A INPUT -s 172.20.1.90/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda scass1" -j ACCEPT
#-A INPUT -s 172.20.1.82/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment davide -j ACCEPT
#-A INPUT -s 172.20.1.15/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment encrypt -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue Nov 19 22:41:29 2019
- name: create rules.v6
blockinfile:
create: yes
state: present
# path: "/scripts/rules.v4"
dest: "/scripts/rules.v6"
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
block: |
# Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Tue Nov 19 22:58:08 2019
- name: reload iptables v4
action: shell /sbin/iptables-restore -! < /scripts/rules.v4
- name: reload iptables v4
action: shell /sbin/ip6tables-restore -! < /scripts/rules.v6
- name: save iptables v4 rules
shell: iptables-save > /etc/iptables/rules.v4
- name: save iptables v6 rules
shell: ip6tables-save > /etc/iptables/rules.v6
- name: "Copy file with owner and permissions"
copy:
backup: yes
src: "{{ playbook_dir }}/repo/bashrc"
dest: /root/.bashrc
owner: root
group: root
mode: '0644'
- name: "ssh_hardening"
hosts: thismachine
connection: local
roles:
- ssh_hardening

2
ansible/keys/panda.key.pub Normal file
View file

@ -0,0 +1,2 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDggvHQafvmP/bTxL4N0ZllGYuHlOVH66iOmgI4FXbndfwhWXumVVWR7W24UTz1SWdfrakDvz87QY4F6mva4pVSNgXQtKCFYewSrCw5+hxF/iHncwYTAq6TJFfGEXtb1irJDEJAnatCINQqZD5vEXkogbansfMvhq0xnnbO0PeTb3QMAGr+2WtZhsUoLY60TQY3nKvTUIzNeCMZBrlNXZueyVTsldyLZY0izkP6c14UjzhrCJ9K0GrbquDyHHb2H3eBiDLknQkmiqWSemWWnZTE0NaJad+tI+yrORa7S5LeuIg1uD0xxkACz+oSIwg8TVDViOyFSUqQ5CoJnQlWKk6YWNyZiPkQSfNt4em/hrVNma6bCgFQaV/pYaRIhze+LkGRyHfC1eHGIK/NGNBYiHF0/sTOpDIFiFrTUXwo5L6J01hR1wu4hjLgRPWteMaPtp6z6ujrTxQo/U1a6b3nKiMzBor4engCsDxJ2ulpy9kRmy5YcEz4+hzmAfI2EcnJALXR2QAGrp5ZYqG7u1aNmzU5P4L78ypJ3q5NWKkUR+RhyNwwb1/BRGhzn4tadjO3Ft0G4LxxTMShWnDBA8N7+WtexP92LuJZm7jPdPC2nF9i5TQInFBNxTzvl3Pk7/ckqUjPXxM57O6ykLuF3FMO6oBPEhGdkddSwNBPUA1oIEmu/w== gino@hl

1
ansible/lldp.retry Normal file
View file

@ -0,0 +1 @@
127.0.0.1

8
ansible/lldp.yml Normal file
View file

@ -0,0 +1,8 @@
# playbook.yml:
---
- name: "lldp"
hosts: thismachine
connection: local
roles:
- lldp

116
ansible/repo/bashrc Normal file
View file

@ -0,0 +1,116 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=999999
HISTFILESIZE=200000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
#alias grep='grep --color=auto'
#alias fgrep='fgrep --color=auto'
#alias egrep='egrep --color=auto'
fi
# some more ls aliases
alias ll='ls -lahs --color=auto'
#alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
HISTTIMEFORMAT="%Y-%m-%d_%T - "
export PS1="\[\e[00;37m\]\t_\[\e[0m\]\[\e[00;33m\]\u\[\e[0m\]\[\e[00;37m\]@\[\e[0m\]\[\e[01;31m\]\h\[\e[0m\]\[\e[00;37m\]:\[\e[0m\]\[\e[00;36m\][\w]:\\$\[\e[0m\]\[\e[00;37m\]\[\e[0m\]"
cd ~

16
ansible/repo/telegraf_settings Normal file
View file

@ -0,0 +1,16 @@
telegraf now installed, edit /etc/telegraf/telegraf.conf adding:
[[outputs.influxdb]]
urls = ["http://SERVER:PORT"]
database = "DB"
username = "USER"
password = "PASS"
and restart it
just
cat repo/telegraf_settings
for all the info not garbled

74
ansible/repo/transmission_settings Normal file
View file

@ -0,0 +1,74 @@
{
"alt-speed-down": 1215751,
"alt-speed-enabled": true,
"alt-speed-time-begin": 90,
"alt-speed-time-day": 127,
"alt-speed-time-enabled": false,
"alt-speed-time-end": 420,
"alt-speed-up": 3567586,
"bind-address-ipv4": "0.0.0.0",
"bind-address-ipv6": "::",
"blocklist-enabled": true,
"blocklist-url": "http://john.bitsurge.net/public/biglist.p2p.gz",
"cache-size-mb": 4,
"dht-enabled": true,
"download-dir": "/data/torrents/",
"download-limit": 100,
"download-limit-enabled": 0,
"download-queue-enabled": false,
"download-queue-size": 5,
"encryption": 2,
"idle-seeding-limit": 30,
"idle-seeding-limit-enabled": false,
"incomplete-dir": "/data/torrents/_incomplete/",
"incomplete-dir-enabled": true,
"lpd-enabled": true,
"max-peers-global": 200,
"message-level": 1,
"peer-congestion-algorithm": "",
"peer-id-ttl-hours": 6,
"peer-limit-global": 16959,
"peer-limit-per-torrent": 9999,
"peer-port": 51413,
"peer-port-random-high": 65535,
"peer-port-random-low": 49152,
"peer-port-random-on-start": false,
"peer-socket-tos": "default",
"pex-enabled": true,
"port-forwarding-enabled": false,
"preallocation": 1,
"prefetch-enabled": 1,
"queue-stalled-enabled": true,
"queue-stalled-minutes": 30,
"ratio-limit": 2,
"ratio-limit-enabled": false,
"rename-partial-files": true,
"rpc-authentication-required": true,
"rpc-bind-address": "0.0.0.0",
"rpc-enabled": true,
"rpc-password": "{8ed7b18864b8eba7ea5aa5b5df1ef3c7494f9c7fm7lsHLa0",
"rpc-port": 9091,
"rpc-url": "/transmission/",
"rpc-username": "transmission",
"rpc-whitelist": "0.0.0.0",
"rpc-whitelist-enabled": false,
"scrape-paused-torrents-enabled": true,
"script-torrent-done-enabled": false,
"script-torrent-done-filename": "",
"seed-queue-enabled": false,
"seed-queue-size": 10,
"speed-limit-down": 20000,
"speed-limit-down-enabled": true,
"speed-limit-up": 1020,
"speed-limit-up-enabled": true,
"start-added-torrents": true,
"trash-original-torrent-files": true,
"umask": 18,
"upload-limit": 100,
"upload-limit-enabled": 0,
"upload-slots-per-torrent": 14,
"utp-enabled": true,
"watch-dir": "/data/torrents/_watchdir/",
"watch-dir-enabled": true
}

29
ansible/roles/lldp/tasks/main.yml Normal file
View file

@ -0,0 +1,29 @@
- name: Install lldpd
apt:
pkg:
- lldpd
- name: stop transmission
systemd:
state: stopped
name: lldpd
- name: memorize hostname variable
shell: hostname
register: hostname
- set_fact:
hostname={{ hostname.stdout }}
- name: Add a line to a file if the file does not exist, without passing regexp
lineinfile:
# path: /etc/lldpd.d/hostname.conf
destfile: /etc/lldpd.d/hostname.conf
line: configure system description {{ hostname }}
create: yes
state: present
- name: stop transmission
systemd:
state: started
name: lldpd

13
ansible/roles/ssh_hardening/tasks/main.yml Normal file
View file

@ -0,0 +1,13 @@
- name: Password based logins are disabled - only public key based logins are allowed.
lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey'
- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no'
- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no'
- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes'
- lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No'
- name: restart sshd
systemd:
state: restarted
daemon_reload: yes
name: sshd

73
ansible/roles/telegraf/tasks/main.yml Normal file
View file

@ -0,0 +1,73 @@
- name: Install telegraf prerequsistes
apt:
pkg:
- apt-transport-https
- curl
- name: Add influx repo key
shell: curl -sL https://repos.influxdata.com/influxdb.key | apt-key add -
#- name: Check system version
# shell: source /etc/os-release
# args:
# executable: /bin/bash
#
#- set_fact: VERSION_ID="{{ lookup('env','VERSION_ID') }}"
- name: memorize debian version variable
shell: cat /etc/debian_version | cut -d. -f1
register: debian_version
- set_fact:
debian_version={{ debian_version.stdout }}
- name: add repo for debian 7
when: "{{ debian_version }} == 7"
shell: echo "deb https://repos.influxdata.com/debian wheezy stable" | tee /etc/apt/sources.list.d/influxdb.list
- name: add repo for debian 8
when: "{{ debian_version }} == 8"
shell: echo "deb https://repos.influxdata.com/debian jessie stable" | tee /etc/apt/sources.list.d/influxdb.list
- name: add repo for debian 9
when: "{{ debian_version }} == 9"
shell: echo "deb https://repos.influxdata.com/debian stretch stable" | tee /etc/apt/sources.list.d/influxdb.list
- name: Update repositories cache
apt:
update_cache: yes
- name: telegraf
apt:
pkg:
- telegraf
- name: create telegraf basic config
shell: telegraf -sample-config -input-filter cpu:mem:swap:net:netstat:disk:diskio:docker:system:processes:kernel:sysstat:conntrack:nstat:iptables:sensors -output-filter influxdb > /etc/telegraf/telegraf.conf
- name: restart telegraf
systemd:
state: restarted
name: telegraf
- name: restart telegraf
systemd:
enabled: yes
name: telegraf
#- name: display public key
# vars:
# debug:
# msg:
# - 'telegraf now installed, edit /etc/telegraf/telegraf.conf adding:'
# - '[[outputs.influxdb]]'
# - ' urls = ["http://172.20.1.168:8086"]'
# - ' database = "telegraf_vcn_int"'
# - ' username = "telegraf_akari"'
# - ' password = "FCw7izWVan8cnh3upuwxtn15pnlhjWY2"'
- name: display help next steps
vars:
contents: "{{ lookup('file', 'repo/telegraf_settings') }}"
debug: msg="{{ contents.split('\n') }}"

57
ansible/roles/transmission/tasks/main.yml Normal file
View file

@ -0,0 +1,57 @@
- name: Install transmission
apt:
pkg:
- transmission-daemon
- name: stop transmission
systemd:
state: stopped
name: transmission-daemon
- name: "Copy file with owner and permissions"
copy:
backup: yes
src: "{{ playbook_dir }}/repo/transmission_settings"
dest: /etc/transmission-daemon/settings.json
owner: debian-transmission
group: debian-transmission
mode: '0600'
- name: Create dir /data
file:
path: /data
state: directory
owner: root
group: root
mode: '0755'
- name: Create dir /data/torrents
file:
path: /data/torrents
state: directory
owner: debian-transmission
group: debian-transmission
mode: '0755'
- name: Create dir /data/torrents/_incomplete
file:
path: /data/torrents/_incomplete
state: directory
owner: debian-transmission
group: debian-transmission
mode: '0755'
- name: Create dir /data/torrents/_watchdir
file:
path: /data/torrents/_watchdir
state: directory
owner: debian-transmission
group: debian-transmission
mode: '0755'
- name: restart transmission
systemd:
state: restarted
daemon_reload: yes
name: transmission-daemon

13
ansible/roles/vcn/tasks/main.yml Normal file
View file

@ -0,0 +1,13 @@
- name: create vcn folder
file:
path: /etc/tinc/vcn
state: directory
mode: '0700'
- name: create keys
shell: tincd -n vcn -K4096
- name: display public key
vars:
contents: "{{ lookup('file', '/etc/tinc/vcn/rsa_key.pub') }}"
debug: msg="vcn public key is {{ contents }}"

1
ansible/telegraf.retry Normal file
View file

@ -0,0 +1 @@
127.0.0.1

9
ansible/telegraf.yml Normal file
View file

@ -0,0 +1,9 @@
# playbook.yml:
---
- name: "telegraf"
hosts: thismachine
connection: local
roles:
- telegraf

8
ansible/to_add.txt Normal file
View file

@ -0,0 +1,8 @@
vcn:
nano /lib/systemd/system/tinc@.service
ExecStart=/usr/sbin/tincd -n %i -D --logfile
ExecReload=/usr/sbin/tincd -n %i -kHUP --logfile
systemctl restart tinc@vcn

8
ansible/transmission.yml Normal file
View file

@ -0,0 +1,8 @@
# playbook.yml:
---
- name: "transmission"
hosts: thismachine
connection: local
roles:
- transmission

9
ansible/vcn.yml Normal file
View file

@ -0,0 +1,9 @@
# playbook.yml:
---
- name: "vcn"
hosts: thismachine
connection: local
roles:
- vcn

130
common.yml Normal file
View file

@ -0,0 +1,130 @@
# playbook.yml:
---
- name: "common config"
hosts: thismachine
connection: local
vars:
users:
- panda
tasks:
- name: Set timezone to Europe/Rome
timezone:
name: Europe/Rome
- name: Update repositories cache
apt:
update_cache: yes
- name: Install a list of packages
apt:
pkg:
- htop
- iotop
- glances
- screen
- sysstat
- git
- nmap
- ntp
- tinc
- fail2ban
- iptables-persistent
- debug:
msg: The main interface is {{ ansible_default_ipv4.interface }}
- name: Create a directory if it does not exist
file:
path: /scripts
state: directory
mode: '0755'
- name: "Create user accounts and add users to groups"
user:
name: "{{ item }}"
shell: "/bin/bash"
with_items: "{{ users }}"
- name: "Add authorized keys"
authorized_key:
user: "{{ item }}"
key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
with_items: "{{ users }}"
- name: create rules.v4
blockinfile:
create: yes
state: present
# path: "/scripts/rules.v4"
dest: "/scripts/rules.v4"
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
block: |
# Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [372:91728]
:fail2ban-ssh - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i vcn -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 172.20.1.125/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda blackfox" -j ACCEPT
-A INPUT -s 172.20.1.65/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda kiwi" -j ACCEPT
-A INPUT -s 172.20.1.90/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda scass1" -j ACCEPT
#-A INPUT -s 172.20.1.82/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment davide -j ACCEPT
#-A INPUT -s 172.20.1.15/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment encrypt -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue Nov 19 22:41:29 2019
- name: create rules.v6
blockinfile:
create: yes
state: present
# path: "/scripts/rules.v4"
dest: "/scripts/rules.v6"
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
block: |
# Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Tue Nov 19 22:58:08 2019
- name: reload iptables v4
action: shell /sbin/iptables-restore -! < /scripts/rules.v4
- name: reload iptables v4
action: shell /sbin/ip6tables-restore -! < /scripts/rules.v6
- name: save iptables v4 rules
shell: iptables-save > /etc/iptables/rules.v4
- name: save iptables v6 rules
shell: ip6tables-save > /etc/iptables/rules.v6
- name: "Copy file with owner and permissions"
copy:
backup: yes
src: "{{ playbook_dir }}/repo/bashrc"
dest: /root/.bashrc
owner: root
group: root
mode: '0644'
- name: "ssh_hardening"
hosts: thismachine
connection: local
roles:
- ssh_hardening

47
hosts Normal file
View file

@ -0,0 +1,47 @@
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
#green.example.com
#blue.example.com
#192.168.100.1
#192.168.100.10
# Ex 2: A collection of hosts belonging to the 'webservers' group
#[webservers]
#alpha.example.org
#beta.example.org
#192.168.1.100
#192.168.1.110
# If you have multiple hosts following a pattern you can specify
# them like this:
#www[001:006].example.com
# Ex 3: A collection of database servers in the 'dbservers' group
#[dbservers]
#
#db01.intranet.mydomain.net
#db02.intranet.mydomain.net
#10.25.1.56
#10.25.1.57
# Here's another example of host ranges, this time there are no
# leading 0s:
#db-[99:101]-node.example.com
[thismachine]
127.0.0.1

2
keys/panda.key.pub Normal file
View file

@ -0,0 +1,2 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDggvHQafvmP/bTxL4N0ZllGYuHlOVH66iOmgI4FXbndfwhWXumVVWR7W24UTz1SWdfrakDvz87QY4F6mva4pVSNgXQtKCFYewSrCw5+hxF/iHncwYTAq6TJFfGEXtb1irJDEJAnatCINQqZD5vEXkogbansfMvhq0xnnbO0PeTb3QMAGr+2WtZhsUoLY60TQY3nKvTUIzNeCMZBrlNXZueyVTsldyLZY0izkP6c14UjzhrCJ9K0GrbquDyHHb2H3eBiDLknQkmiqWSemWWnZTE0NaJad+tI+yrORa7S5LeuIg1uD0xxkACz+oSIwg8TVDViOyFSUqQ5CoJnQlWKk6YWNyZiPkQSfNt4em/hrVNma6bCgFQaV/pYaRIhze+LkGRyHfC1eHGIK/NGNBYiHF0/sTOpDIFiFrTUXwo5L6J01hR1wu4hjLgRPWteMaPtp6z6ujrTxQo/U1a6b3nKiMzBor4engCsDxJ2ulpy9kRmy5YcEz4+hzmAfI2EcnJALXR2QAGrp5ZYqG7u1aNmzU5P4L78ypJ3q5NWKkUR+RhyNwwb1/BRGhzn4tadjO3Ft0G4LxxTMShWnDBA8N7+WtexP92LuJZm7jPdPC2nF9i5TQInFBNxTzvl3Pk7/ckqUjPXxM57O6ykLuF3FMO6oBPEhGdkddSwNBPUA1oIEmu/w== gino@hl

8
lldp.yml Normal file
View file

@ -0,0 +1,8 @@
# playbook.yml:
---
- name: "lldp"
hosts: thismachine
connection: local
roles:
- lldp

116
repo/bashrc Normal file
View file

@ -0,0 +1,116 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=999999
HISTFILESIZE=200000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
#alias grep='grep --color=auto'
#alias fgrep='fgrep --color=auto'
#alias egrep='egrep --color=auto'
fi
# some more ls aliases
alias ll='ls -lahs --color=auto'
#alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
HISTTIMEFORMAT="%Y-%m-%d_%T - "
export PS1="\[\e[00;37m\]\t_\[\e[0m\]\[\e[00;33m\]\u\[\e[0m\]\[\e[00;37m\]@\[\e[0m\]\[\e[01;31m\]\h\[\e[0m\]\[\e[00;37m\]:\[\e[0m\]\[\e[00;36m\][\w]:\\$\[\e[0m\]\[\e[00;37m\]\[\e[0m\]"
cd ~

16
repo/telegraf_settings Normal file
View file

@ -0,0 +1,16 @@
telegraf now installed, edit /etc/telegraf/telegraf.conf adding:
[[outputs.influxdb]]
urls = ["http://SERVER:PORT"]
database = "DB"
username = "USER"
password = "PASS"
and restart it
just
cat repo/telegraf_settings
for all the info not garbled

74
repo/transmission_settings Normal file
View file

@ -0,0 +1,74 @@
{
"alt-speed-down": 1215751,
"alt-speed-enabled": true,
"alt-speed-time-begin": 90,
"alt-speed-time-day": 127,
"alt-speed-time-enabled": false,
"alt-speed-time-end": 420,
"alt-speed-up": 3567586,
"bind-address-ipv4": "0.0.0.0",
"bind-address-ipv6": "::",
"blocklist-enabled": true,
"blocklist-url": "http://john.bitsurge.net/public/biglist.p2p.gz",
"cache-size-mb": 4,
"dht-enabled": true,
"download-dir": "/data/torrents/",
"download-limit": 100,
"download-limit-enabled": 0,
"download-queue-enabled": false,
"download-queue-size": 5,
"encryption": 2,
"idle-seeding-limit": 30,
"idle-seeding-limit-enabled": false,
"incomplete-dir": "/data/torrents/_incomplete/",
"incomplete-dir-enabled": true,
"lpd-enabled": true,
"max-peers-global": 200,
"message-level": 1,
"peer-congestion-algorithm": "",
"peer-id-ttl-hours": 6,
"peer-limit-global": 16959,
"peer-limit-per-torrent": 9999,
"peer-port": 51413,
"peer-port-random-high": 65535,
"peer-port-random-low": 49152,
"peer-port-random-on-start": false,
"peer-socket-tos": "default",
"pex-enabled": true,
"port-forwarding-enabled": false,
"preallocation": 1,
"prefetch-enabled": 1,
"queue-stalled-enabled": true,
"queue-stalled-minutes": 30,
"ratio-limit": 2,
"ratio-limit-enabled": false,
"rename-partial-files": true,
"rpc-authentication-required": true,
"rpc-bind-address": "0.0.0.0",
"rpc-enabled": true,
"rpc-password": "{8ed7b18864b8eba7ea5aa5b5df1ef3c7494f9c7fm7lsHLa0",
"rpc-port": 9091,
"rpc-url": "/transmission/",
"rpc-username": "transmission",
"rpc-whitelist": "0.0.0.0",
"rpc-whitelist-enabled": false,
"scrape-paused-torrents-enabled": true,
"script-torrent-done-enabled": false,
"script-torrent-done-filename": "",
"seed-queue-enabled": false,
"seed-queue-size": 10,
"speed-limit-down": 20000,
"speed-limit-down-enabled": true,
"speed-limit-up": 1020,
"speed-limit-up-enabled": true,
"start-added-torrents": true,
"trash-original-torrent-files": true,
"umask": 18,
"upload-limit": 100,
"upload-limit-enabled": 0,
"upload-slots-per-torrent": 14,
"utp-enabled": true,
"watch-dir": "/data/torrents/_watchdir/",
"watch-dir-enabled": true
}

29
roles/lldp/tasks/main.yml Normal file
View file

@ -0,0 +1,29 @@
- name: Install lldpd
apt:
pkg:
- lldpd
- name: stop transmission
systemd:
state: stopped
name: lldpd
- name: memorize hostname variable
shell: hostname
register: hostname
- set_fact:
hostname={{ hostname.stdout }}
- name: Add a line to a file if the file does not exist, without passing regexp
lineinfile:
# path: /etc/lldpd.d/hostname.conf
destfile: /etc/lldpd.d/hostname.conf
line: configure system description {{ hostname }}
create: yes
state: present
- name: stop transmission
systemd:
state: started
name: lldpd

13
roles/ssh_hardening/tasks/main.yml Normal file
View file

@ -0,0 +1,13 @@
- name: Password based logins are disabled - only public key based logins are allowed.
lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey'
- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no'
- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no'
- lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes'
- lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No'
- name: restart sshd
systemd:
state: restarted
daemon_reload: yes
name: sshd

73
roles/telegraf/tasks/main.yml Normal file
View file

@ -0,0 +1,73 @@
- name: Install telegraf prerequsistes
apt:
pkg:
- apt-transport-https
- curl
- name: Add influx repo key
shell: curl -sL https://repos.influxdata.com/influxdb.key | apt-key add -
#- name: Check system version
# shell: source /etc/os-release
# args:
# executable: /bin/bash
#
#- set_fact: VERSION_ID="{{ lookup('env','VERSION_ID') }}"
- name: memorize debian version variable
shell: cat /etc/debian_version | cut -d. -f1
register: debian_version
- set_fact:
debian_version={{ debian_version.stdout }}
- name: add repo for debian 7
when: "{{ debian_version }} == 7"
shell: echo "deb https://repos.influxdata.com/debian wheezy stable" | tee /etc/apt/sources.list.d/influxdb.list
- name: add repo for debian 8
when: "{{ debian_version }} == 8"
shell: echo "deb https://repos.influxdata.com/debian jessie stable" | tee /etc/apt/sources.list.d/influxdb.list
- name: add repo for debian 9
when: "{{ debian_version }} == 9"
shell: echo "deb https://repos.influxdata.com/debian stretch stable" | tee /etc/apt/sources.list.d/influxdb.list
- name: Update repositories cache
apt:
update_cache: yes
- name: telegraf
apt:
pkg:
- telegraf
- name: create telegraf basic config
shell: telegraf -sample-config -input-filter cpu:mem:swap:net:netstat:disk:diskio:docker:system:processes:kernel:sysstat:conntrack:nstat:iptables:sensors -output-filter influxdb > /etc/telegraf/telegraf.conf
- name: restart telegraf
systemd:
state: restarted
name: telegraf
- name: restart telegraf
systemd:
enabled: yes
name: telegraf
#- name: display public key
# vars:
# debug:
# msg:
# - 'telegraf now installed, edit /etc/telegraf/telegraf.conf adding:'
# - '[[outputs.influxdb]]'
# - ' urls = ["http://172.20.1.168:8086"]'
# - ' database = "telegraf_vcn_int"'
# - ' username = "telegraf_akari"'
# - ' password = "FCw7izWVan8cnh3upuwxtn15pnlhjWY2"'
- name: display help next steps
vars:
contents: "{{ lookup('file', 'repo/telegraf_settings') }}"
debug: msg="{{ contents.split('\n') }}"

57
roles/transmission/tasks/main.yml Normal file
View file

@ -0,0 +1,57 @@
- name: Install transmission
apt:
pkg:
- transmission-daemon
- name: stop transmission
systemd:
state: stopped
name: transmission-daemon
- name: "Copy file with owner and permissions"
copy:
backup: yes
src: "{{ playbook_dir }}/repo/transmission_settings"
dest: /etc/transmission-daemon/settings.json
owner: debian-transmission
group: debian-transmission
mode: '0600'
- name: Create dir /data
file:
path: /data
state: directory
owner: root
group: root
mode: '0755'
- name: Create dir /data/torrents
file:
path: /data/torrents
state: directory
owner: debian-transmission
group: debian-transmission
mode: '0755'
- name: Create dir /data/torrents/_incomplete
file:
path: /data/torrents/_incomplete
state: directory
owner: debian-transmission
group: debian-transmission
mode: '0755'
- name: Create dir /data/torrents/_watchdir
file:
path: /data/torrents/_watchdir
state: directory
owner: debian-transmission
group: debian-transmission
mode: '0755'
- name: restart transmission
systemd:
state: restarted
daemon_reload: yes
name: transmission-daemon

13
roles/vcn/tasks/main.yml Normal file
View file

@ -0,0 +1,13 @@
- name: create vcn folder
file:
path: /etc/tinc/vcn
state: directory
mode: '0700'
- name: create keys
shell: tincd -n vcn -K4096
- name: display public key
vars:
contents: "{{ lookup('file', '/etc/tinc/vcn/rsa_key.pub') }}"
debug: msg="vcn public key is {{ contents }}"

9
telegraf.yml Normal file
View file

@ -0,0 +1,9 @@
# playbook.yml:
---
- name: "telegraf"
hosts: thismachine
connection: local
roles:
- telegraf

8
to_add.txt Normal file
View file

@ -0,0 +1,8 @@
vcn:
nano /lib/systemd/system/tinc@.service
ExecStart=/usr/sbin/tincd -n %i -D --logfile
ExecReload=/usr/sbin/tincd -n %i -kHUP --logfile
systemctl restart tinc@vcn

8
transmission.yml Normal file
View file

@ -0,0 +1,8 @@
# playbook.yml:
---
- name: "transmission"
hosts: thismachine
connection: local
roles:
- transmission

9
vcn.yml Normal file
View file

@ -0,0 +1,9 @@
# playbook.yml:
---
- name: "vcn"
hosts: thismachine
connection: local
roles:
- vcn