# playbook.yml:
---
- name: "common config"
  hosts: thismachine
  connection: local

- name: Include all .json and .jsn files in vars/all and all nested directories (2.3)
  include_vars:
    file: "variables.yml"

#  vars:
#    users:
#    - testuser

  tasks:
    - name: Set timezone to Europe/Rome
      timezone:
        name: Europe/Rome

    - name: Update repositories cache
      apt:
        update_cache: yes

    - name: Install a list of packages
      apt:
        pkg:
        - htop
        - iotop
        - glances
        - screen
        - sysstat
        - git
        - nmap
        - ntp
        - tinc
        - fail2ban
        - iptables-persistent

    - debug:
        msg: The main interface is {{ ansible_default_ipv4.interface }}

    - name: Create a directory if it does not exist
      file:
        path: /scripts
        state: directory
        mode: '0755'

    - name: "Create user accounts and add users to groups"
      user:
        name: "{{ item }}"
        shell: "/bin/bash"
      with_items: "{{ users }}"

    - name: "Add authorized keys"
      authorized_key:
        user: "{{ item }}"
        key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
      with_items: "{{ users }}"

    - name: create rules.v4
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v4"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [372:91728]
          :fail2ban-ssh - [0:0]
          -A INPUT -i lo -j ACCEPT
          -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
          -A INPUT -j DROP
          -A OUTPUT -o lo -j ACCEPT
          -A fail2ban-ssh -j RETURN
          COMMIT
          # Completed on Tue Nov 19 22:41:29 2019

    - name: create rules.v6
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v6"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT DROP [0:0]
          COMMIT
          # Completed on Tue Nov 19 22:58:08 2019

    - name: reload iptables v4
      action: shell /sbin/iptables-restore -! < /scripts/rules.v4

    - name: reload iptables v4
      action: shell /sbin/ip6tables-restore -! < /scripts/rules.v6

    - name: save iptables v4 rules
      shell: iptables-save > /etc/iptables/rules.v4

    - name: save iptables v6 rules
      shell: ip6tables-save > /etc/iptables/rules.v6


    - name: "Copy file with owner and permissions"
      copy:
        backup: yes
        src: "{{ playbook_dir }}/repo/bashrc"
        dest: /root/.bashrc
        owner: root
        group: root
        mode: '0644'


- name: "ssh_hardening"
  hosts: thismachine
  connection: local
  roles:
    - ssh_hardening