Ansible_PUBLIC/common.yml

# playbook.yml:
---
- name: "common config"
  hosts: thismachine
  connection: local
  vars_files:
    - variables.yml

  tasks:
    - fail: msg="The user in the list 'users' in variables.yml, has to be set to somethings else than CHANGEME"
      when: '"CHANGEME" in users'

    - fail: msg="The variable 'hostname' in variables.yml, has to be set to somethings else than CHANGEME"
      when: '"CHANGEME" in hostname'

    - fail: msg="The variable 'tinc_vpn' in variables.yml, has to be set to somethings else than CHANGEME"
      when: '"CHANGEME" in tinc_vpn'

###

    - name: change hostname to myserver
      hostname:
        name: "{{ hostname }}"

    - name: add myself to /etc/hosts
      lineinfile:
        dest: /etc/hosts
        regexp: '^127\.0\.0\.1[ \t]+localhost'
        line: '127.0.0.1 localhost {{ hostname }}'
        state: present


    - name: Set timezone to {{ timezone }}
      timezone:
        name: {{ timezone }}

    - name: Update repositories cache
      apt:
        update_cache: yes

    - name: Install a list of packages
      apt:
        pkg:
        - htop
        - iotop
        - glances
        - screen
        - sysstat
        - git
        - nmap
        - ntp
        - tinc
        - fail2ban
        - iptables-persistent

    - debug:
        msg: The main interface is {{ ansible_default_ipv4.interface }}

    - name: Create a directory if it does not exist
      file:
        path: /scripts
        state: directory
        mode: '0755'

    - name: "Create user accounts and add users to groups"
      user:
        name: "{{ item }}"
        shell: "/bin/bash"
      with_items: "{{ users }}"

    - name: "Add authorized keys"
      authorized_key:
        user: "{{ item }}"
        key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
      with_items: "{{ users }}"

    - name: create rules.v4
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v4"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [372:91728]
          :fail2ban-ssh - [0:0]
          -A INPUT -i lo -j ACCEPT
          -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
          -A INPUT -j DROP
          -A OUTPUT -o lo -j ACCEPT
          -A fail2ban-ssh -j RETURN
          COMMIT
          # Completed on Tue Nov 19 22:41:29 2019

    - name: create rules.v6
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v6"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT DROP [0:0]
          COMMIT
          # Completed on Tue Nov 19 22:58:08 2019

    - name: reload iptables v4
      action: shell /sbin/iptables-restore -! < /scripts/rules.v4

    - name: reload iptables v4
      action: shell /sbin/ip6tables-restore -! < /scripts/rules.v6

    - name: save iptables v4 rules
      shell: iptables-save > /etc/iptables/rules.v4

    - name: save iptables v6 rules
      shell: ip6tables-save > /etc/iptables/rules.v6


    - name: "Copy file with owner and permissions"
      copy:
        backup: yes
        src: "{{ playbook_dir }}/repo/bashrc"
        dest: /root/.bashrc
        owner: root
        group: root
        mode: '0644'


- name: "ssh_hardening"
  hosts: thismachine
  connection: local
  roles:
    - ssh_hardening