123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 |
- # playbook.yml:
- ---
- - name: "common config"
- hosts: localhost
- connection: local
- vars_files:
- - variables.yml
- tasks:
- - name: "check the variable: users"
- fail: msg="The user in the list 'users' in variables.yml, has to be set to somethings else than CHANGEME"
- when: '"CHANGEME" in users'
- - name: "check the variable: hostname"
- fail: msg="The variable 'hostname' in variables.yml, has to be set to somethings else than CHANGEME"
- when: '"CHANGEME" in hostname'
- # - name: "check the variable: tinc_vpn"
- # fail: msg="The variable 'tinc_vpn' in variables.yml, has to be set to somethings else than CHANGEME"
- # when: '"CHANGEME" in tinc_vpn'
- ###
- - name: change hostname to myserver
- hostname:
- name: "{{ hostname }}"
- - name: add myself to /etc/hosts
- lineinfile:
- dest: /etc/hosts
- regexp: '^127\.0\.0\.1[ \t]+localhost'
- line: '127.0.0.1 localhost {{ hostname }}'
- state: present
- - name: Set timezone to {{ timezone }}
- timezone:
- name: "{{ timezone }}"
- - name: Update repositories cache
- apt:
- update_cache: yes
- - name: Install a list of packages
- apt:
- pkg:
- - htop
- - iotop
- # - glances
- - screen
- - sysstat
- - git
- - nmap
- - ntp
- - tinc
- - fail2ban
- - iptables-persistent
- - ssh
- - locales-all
- - curl
- - wget
- - net-tools
- - debug:
- msg: The main interface is {{ ansible_default_ipv4.interface }}
- - name: Create a directory if it does not exist
- file:
- path: /scripts
- state: directory
- mode: '0755'
- - name: "Create user accounts and add users to groups"
- user:
- name: "{{ item }}"
- shell: "/bin/bash"
- with_items: "{{ users }}"
- - name: "Add authorized keys"
- authorized_key:
- user: "{{ item }}"
- key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
- with_items: "{{ users }}"
- - name: Fix Debian10's shitty executables paths
- lineinfile:
- dest: /etc/environment
- line: 'PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"'
- state: present
- when: ansible_distribution == 'Debian' and ansible_distribution_major_version >= '10'
- - name: create rules.v4
- blockinfile:
- create: yes
- state: present
- dest: "/scripts/rules.v4"
- marker: "# {mark} ANSIBLE MANAGED BLOCK #"
- block: |
- # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [372:91728]
- :fail2ban-ssh - [0:0]
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
- -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
- -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -j DROP
- -A OUTPUT -o lo -j ACCEPT
- -A fail2ban-ssh -j RETURN
- COMMIT
- # Completed on Tue Nov 19 22:41:29 2019
- - name: create rules.v6
- blockinfile:
- create: yes
- state: present
- dest: "/scripts/rules.v6"
- marker: "# {mark} ANSIBLE MANAGED BLOCK #"
- block: |
- # Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT DROP [0:0]
- COMMIT
- # Completed on Tue Nov 19 22:58:08 2019
- - name: reload iptables v4
- action: shell /sbin/iptables-restore /scripts/rules.v4
- - name: reload iptables v4
- action: shell /sbin/ip6tables-restore /scripts/rules.v6
- - name: save iptables v4 rules
- shell: iptables-save > /etc/iptables/rules.v4
- - name: save iptables v6 rules
- shell: ip6tables-save > /etc/iptables/rules.v6
- - name: "Copy file with owner and permissions"
- copy:
- backup: yes
- src: "{{ playbook_dir }}/repo/bashrc"
- dest: /root/.bashrc
- owner: root
- group: root
- mode: '0644'
- # Set vm.swappiness to 5 in /etc/sysctl.conf
- - sysctl:
- name: vm.swappiness
- value: '0'
- state: present
- - name: "ssh_hardening"
- hosts: thismachine
- connection: local
- roles:
- - ssh_hardening
|