159 lines
4.4 KiB
YAML
159 lines
4.4 KiB
YAML
# playbook.yml:
|
|
---
|
|
- name: "common config"
|
|
hosts: thismachine
|
|
connection: local
|
|
vars_files:
|
|
- variables.yml
|
|
|
|
tasks:
|
|
- name: "check the variable: users"
|
|
fail: msg="The user in the list 'users' in variables.yml, has to be set to somethings else than CHANGEME"
|
|
when: '"CHANGEME" in users'
|
|
|
|
- name: "check the variable: hostname"
|
|
fail: msg="The variable 'hostname' in variables.yml, has to be set to somethings else than CHANGEME"
|
|
when: '"CHANGEME" in hostname'
|
|
|
|
- name: "check the variable: tinc_vpn"
|
|
fail: msg="The variable 'tinc_vpn' in variables.yml, has to be set to somethings else than CHANGEME"
|
|
when: '"CHANGEME" in tinc_vpn'
|
|
|
|
###
|
|
|
|
- name: change hostname to myserver
|
|
hostname:
|
|
name: "{{ hostname }}"
|
|
|
|
- name: add myself to /etc/hosts
|
|
lineinfile:
|
|
dest: /etc/hosts
|
|
regexp: '^127\.0\.0\.1[ \t]+localhost'
|
|
line: '127.0.0.1 localhost {{ hostname }}'
|
|
state: present
|
|
|
|
|
|
- name: Set timezone to {{ timezone }}
|
|
timezone:
|
|
name: "{{ timezone }}"
|
|
|
|
- name: Update repositories cache
|
|
apt:
|
|
update_cache: yes
|
|
|
|
- name: Install a list of packages
|
|
apt:
|
|
pkg:
|
|
- htop
|
|
- iotop
|
|
- glances
|
|
- screen
|
|
- sysstat
|
|
- git
|
|
- nmap
|
|
- ntp
|
|
- tinc
|
|
- fail2ban
|
|
- iptables-persistent
|
|
- ssh
|
|
- locales-all
|
|
- curl
|
|
- wget
|
|
- net-tools
|
|
|
|
- debug:
|
|
msg: The main interface is {{ ansible_default_ipv4.interface }}
|
|
|
|
- name: Create a directory if it does not exist
|
|
file:
|
|
path: /scripts
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: "Create user accounts and add users to groups"
|
|
user:
|
|
name: "{{ item }}"
|
|
shell: "/bin/bash"
|
|
with_items: "{{ users }}"
|
|
|
|
- name: "Add authorized keys"
|
|
authorized_key:
|
|
user: "{{ item }}"
|
|
key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Fix Debian10's shitty executables paths
|
|
lineinfile:
|
|
dest: /etc/environment
|
|
line: 'PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"'
|
|
state: present
|
|
when: ansible_distribution == 'Debian' and ansible_distribution_major_version == '10'
|
|
|
|
- name: create rules.v4
|
|
blockinfile:
|
|
create: yes
|
|
state: present
|
|
dest: "/scripts/rules.v4"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
|
|
block: |
|
|
# Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [372:91728]
|
|
:fail2ban-ssh - [0:0]
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
|
|
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
|
|
-A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -j DROP
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
-A fail2ban-ssh -j RETURN
|
|
COMMIT
|
|
# Completed on Tue Nov 19 22:41:29 2019
|
|
|
|
- name: create rules.v6
|
|
blockinfile:
|
|
create: yes
|
|
state: present
|
|
dest: "/scripts/rules.v6"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
|
|
block: |
|
|
# Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT DROP [0:0]
|
|
COMMIT
|
|
# Completed on Tue Nov 19 22:58:08 2019
|
|
|
|
- name: reload iptables v4
|
|
action: shell /sbin/iptables-restore /scripts/rules.v4
|
|
|
|
- name: reload iptables v4
|
|
action: shell /sbin/ip6tables-restore /scripts/rules.v6
|
|
|
|
- name: save iptables v4 rules
|
|
shell: iptables-save > /etc/iptables/rules.v4
|
|
|
|
- name: save iptables v6 rules
|
|
shell: ip6tables-save > /etc/iptables/rules.v6
|
|
|
|
|
|
- name: "Copy file with owner and permissions"
|
|
copy:
|
|
backup: yes
|
|
src: "{{ playbook_dir }}/repo/bashrc"
|
|
dest: /root/.bashrc
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
|
|
- name: "ssh_hardening"
|
|
hosts: thismachine
|
|
connection: local
|
|
roles:
|
|
- ssh_hardening
|