panda/Ansible_PUBLIC
1
1
Форк 0
Код Задачі 3 Запити на злиття Релізи Вікі Активність
Ansible_PUBLIC/common.yml

203 рядки
6 КіБ
YAML
Неформатований Звинувачення Історія

# playbook.yml:
---
- name: "common config"
hosts: localhost
connection: local
vars_files:
- variables.yml
tasks:
- name: "check the variable: users"
fail: msg="The user in the list 'users' in variables.yml, has to be set to somethings else than CHANGEME"
when: '"CHANGEME" in users'
- name: "check the variable: hostname"
fail: msg="The variable 'hostname' in variables.yml, has to be set to somethings else than CHANGEME"
when: '"CHANGEME" in hostname'
# - name: "check the variable: tinc_vpn"
# fail: msg="The variable 'tinc_vpn' in variables.yml, has to be set to somethings else than CHANGEME"
# when: '"CHANGEME" in tinc_vpn'
###
- name: change hostname to myserver
hostname:
name: "{{ hostname }}"
- name: add myself to /etc/hosts
lineinfile:
dest: /etc/hosts
regexp: '^127\.0\.0\.1[ \t]+localhost'
line: '127.0.0.1 localhost {{ hostname }}'
state: present
- name: Set timezone to {{ timezone }}
timezone:
name: "{{ timezone }}"
- name: Update repositories cache
apt:
update_cache: yes
- name: Install a list of packages
apt:
pkg:
- htop
- iotop
# - glances
- screen
- sysstat
- git
- nmap
- ntp
- tinc
- fail2ban
- iptables-persistent
- ssh
- locales-all
- curl
- wget
- net-tools
- apt-transport-https
- ca-certificates
- gnupg
- lsb-release
- rsync
- telnet
- debug:
msg: The main interface is {{ ansible_default_ipv4.interface }}
- name: Create a directory if it does not exist
file:
path: /scripts
state: directory
mode: '0755'
- name: "Create user accounts and add users to groups"
user:
name: "{{ item }}"
shell: "/bin/bash"
with_items: "{{ users }}"
- name: "Add authorized keys"
authorized_key:
user: "{{ item }}"
key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
with_items: "{{ users }}"
- name: Fix Debian10's shitty executables paths
lineinfile:
dest: /etc/environment
line: 'PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"'
state: present
when: ansible_distribution == 'Debian' and ansible_distribution_major_version >= '10'
- name: create rules.v4
blockinfile:
create: yes
state: present
dest: "/scripts/rules.v4"
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
block: |
# Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [372:91728]
:fail2ban-ssh - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue Nov 19 22:41:29 2019
- name: create rules.v6
blockinfile:
create: yes
state: present
dest: "/scripts/rules.v6"
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
block: |
# Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Tue Nov 19 22:58:08 2019
- name: reload iptables v4
action: shell /sbin/iptables-restore /scripts/rules.v4
- name: reload iptables v4
action: shell /sbin/ip6tables-restore /scripts/rules.v6
- name: save iptables v4 rules
shell: iptables-save > /etc/iptables/rules.v4
- name: save iptables v6 rules
shell: ip6tables-save > /etc/iptables/rules.v6
- name: "Copy file with owner and permissions"
copy:
backup: yes
src: "{{ playbook_dir }}/repo/bashrc"
dest: /root/.bashrc
owner: root
group: root
mode: '0644'
# - name: "Register if we are running baremetal (none), virtualized (kvm) or container (lxc)"
# command: systemd-detect-virt --container
# register: systemd_detect_virt
# Set vm.swappiness to 1 in /etc/sysctl.conf
- name: "Set swappiness to zero in sysctl.conf"
sysctl:
name: vm.swappiness
value: '1'
state: present
reload: yes
sysctl_file: /etc/sysctl.conf
# when: systemd_detect_virt.stdout == "none"
- name: "Set nf_conntrack_max to 131072 in sysctl.conf, suitable for max 4gb of ram, conntrack_max = RAMSIZE (in bytes)/16384/2 = 4*1024*1024*1024/16384/2 = 4*32768 = 131072"
sysctl:
name: net.netfilter.nf_conntrack_max
value: '131072'
state: present
reload: yes
sysctl_file: /etc/sysctl.conf
#source: https://support.huaweicloud.com/intl/en-us/trouble-ecs/ecs_trouble_0324.html
# when: systemd_detect_virt.stdout == "none"
- name: Disable IPv6 with sysctl
sysctl: name={{ item }} value=1 state=present reload=yes
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
# when: systemd_detect_virt.stdout == "none"
- ansible.builtin.include_role:
name: ssh_hardening
- name: "copy iptables disable script to/scripts"
copy:
backup: yes
src: "{{ playbook_dir }}/repo/disable_iptables.sh"
dest: /scripts/disable_iptables.sh
owner: root
group: root
mode: '0744'
Посилання в новій задачі View git blame Копіювати постійне посилання