203 lines
6 KiB
YAML
203 lines
6 KiB
YAML
# playbook.yml:
|
|
---
|
|
- name: "common config"
|
|
hosts: localhost
|
|
connection: local
|
|
vars_files:
|
|
- variables.yml
|
|
|
|
tasks:
|
|
- name: "check the variable: users"
|
|
fail: msg="The user in the list 'users' in variables.yml, has to be set to somethings else than CHANGEME"
|
|
when: '"CHANGEME" in users'
|
|
|
|
- name: "check the variable: hostname"
|
|
fail: msg="The variable 'hostname' in variables.yml, has to be set to somethings else than CHANGEME"
|
|
when: '"CHANGEME" in hostname'
|
|
|
|
# - name: "check the variable: tinc_vpn"
|
|
# fail: msg="The variable 'tinc_vpn' in variables.yml, has to be set to somethings else than CHANGEME"
|
|
# when: '"CHANGEME" in tinc_vpn'
|
|
|
|
###
|
|
|
|
- name: change hostname to myserver
|
|
hostname:
|
|
name: "{{ hostname }}"
|
|
|
|
- name: add myself to /etc/hosts
|
|
lineinfile:
|
|
dest: /etc/hosts
|
|
regexp: '^127\.0\.0\.1[ \t]+localhost'
|
|
line: '127.0.0.1 localhost {{ hostname }}'
|
|
state: present
|
|
|
|
|
|
- name: Set timezone to {{ timezone }}
|
|
timezone:
|
|
name: "{{ timezone }}"
|
|
|
|
- name: Update repositories cache
|
|
apt:
|
|
update_cache: yes
|
|
|
|
- name: Install a list of packages
|
|
apt:
|
|
pkg:
|
|
- htop
|
|
- iotop
|
|
# - glances
|
|
- screen
|
|
- sysstat
|
|
- git
|
|
- nmap
|
|
- ntp
|
|
- tinc
|
|
- fail2ban
|
|
- iptables-persistent
|
|
- ssh
|
|
- locales-all
|
|
- curl
|
|
- wget
|
|
- net-tools
|
|
- apt-transport-https
|
|
- ca-certificates
|
|
- gnupg
|
|
- lsb-release
|
|
- rsync
|
|
- telnet
|
|
|
|
- debug:
|
|
msg: The main interface is {{ ansible_default_ipv4.interface }}
|
|
|
|
- name: Create a directory if it does not exist
|
|
file:
|
|
path: /scripts
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: "Create user accounts and add users to groups"
|
|
user:
|
|
name: "{{ item }}"
|
|
shell: "/bin/bash"
|
|
with_items: "{{ users }}"
|
|
|
|
- name: "Add authorized keys"
|
|
authorized_key:
|
|
user: "{{ item }}"
|
|
key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Fix Debian10's shitty executables paths
|
|
lineinfile:
|
|
dest: /etc/environment
|
|
line: 'PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"'
|
|
state: present
|
|
when: ansible_distribution == 'Debian' and ansible_distribution_major_version >= '10'
|
|
|
|
- name: create rules.v4
|
|
blockinfile:
|
|
create: yes
|
|
state: present
|
|
dest: "/scripts/rules.v4"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
|
|
block: |
|
|
# Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [372:91728]
|
|
:fail2ban-ssh - [0:0]
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
|
|
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
|
|
-A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -j DROP
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
-A fail2ban-ssh -j RETURN
|
|
COMMIT
|
|
# Completed on Tue Nov 19 22:41:29 2019
|
|
|
|
- name: create rules.v6
|
|
blockinfile:
|
|
create: yes
|
|
state: present
|
|
dest: "/scripts/rules.v6"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
|
|
block: |
|
|
# Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT DROP [0:0]
|
|
COMMIT
|
|
# Completed on Tue Nov 19 22:58:08 2019
|
|
|
|
- name: reload iptables v4
|
|
action: shell /sbin/iptables-restore /scripts/rules.v4
|
|
|
|
- name: reload iptables v4
|
|
action: shell /sbin/ip6tables-restore /scripts/rules.v6
|
|
|
|
- name: save iptables v4 rules
|
|
shell: iptables-save > /etc/iptables/rules.v4
|
|
|
|
- name: save iptables v6 rules
|
|
shell: ip6tables-save > /etc/iptables/rules.v6
|
|
|
|
|
|
- name: "Copy file with owner and permissions"
|
|
copy:
|
|
backup: yes
|
|
src: "{{ playbook_dir }}/repo/bashrc"
|
|
dest: /root/.bashrc
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
# - name: "Register if we are running baremetal (none), virtualized (kvm) or container (lxc)"
|
|
# command: systemd-detect-virt --container
|
|
# register: systemd_detect_virt
|
|
|
|
# Set vm.swappiness to 1 in /etc/sysctl.conf
|
|
- name: "Set swappiness to zero in sysctl.conf"
|
|
sysctl:
|
|
name: vm.swappiness
|
|
value: '1'
|
|
state: present
|
|
reload: yes
|
|
sysctl_file: /etc/sysctl.conf
|
|
# when: systemd_detect_virt.stdout == "none"
|
|
|
|
- name: "Set nf_conntrack_max to 131072 in sysctl.conf, suitable for max 4gb of ram, conntrack_max = RAMSIZE (in bytes)/16384/2 = 4*1024*1024*1024/16384/2 = 4*32768 = 131072"
|
|
sysctl:
|
|
name: net.netfilter.nf_conntrack_max
|
|
value: '131072'
|
|
state: present
|
|
reload: yes
|
|
sysctl_file: /etc/sysctl.conf
|
|
#source: https://support.huaweicloud.com/intl/en-us/trouble-ecs/ecs_trouble_0324.html
|
|
# when: systemd_detect_virt.stdout == "none"
|
|
|
|
- name: Disable IPv6 with sysctl
|
|
sysctl: name={{ item }} value=1 state=present reload=yes
|
|
with_items:
|
|
- net.ipv6.conf.all.disable_ipv6
|
|
- net.ipv6.conf.default.disable_ipv6
|
|
- net.ipv6.conf.lo.disable_ipv6
|
|
# when: systemd_detect_virt.stdout == "none"
|
|
|
|
- ansible.builtin.include_role:
|
|
name: ssh_hardening
|
|
|
|
- name: "copy iptables disable script to/scripts"
|
|
copy:
|
|
backup: yes
|
|
src: "{{ playbook_dir }}/repo/disable_iptables.sh"
|
|
dest: /scripts/disable_iptables.sh
|
|
owner: root
|
|
group: root
|
|
mode: '0744'
|
|
|