Ansible_PUBLIC/common.yml

# playbook.yml:
---
- name: "common config"
  hosts: localhost
  connection: local
  vars_files:
    - variables.yml

  tasks:
    - name: "check the variable: users"
      fail: msg="The user in the list 'users' in variables.yml, has to be set to somethings else than CHANGEME"
      when: '"CHANGEME" in users'

    - name: "check the variable: hostname"
      fail: msg="The variable 'hostname' in variables.yml, has to be set to somethings else than CHANGEME"
      when: '"CHANGEME" in hostname'

#    - name: "check the variable: tinc_vpn"
#      fail: msg="The variable 'tinc_vpn' in variables.yml, has to be set to somethings else than CHANGEME"
#      when: '"CHANGEME" in tinc_vpn'

###

    - name: change hostname to myserver
      hostname:
        name: "{{ hostname }}"

    - name: add myself to /etc/hosts
      lineinfile:
        dest: /etc/hosts
        regexp: '^127\.0\.0\.1[ \t]+localhost'
        line: '127.0.0.1 localhost {{ hostname }}'
        state: present


    - name: Set timezone to {{ timezone }}
      timezone:
        name: "{{ timezone }}"

    - name: Update repositories cache
      apt:
        update_cache: yes

    - name: Install a list of packages
      apt:
        pkg:
        - htop
        - iotop
#        - glances
        - screen
        - sysstat
        - git
        - nmap
        - ntp
        - tinc
        - fail2ban
        - iptables-persistent
        - ssh
        - locales-all
        - curl
        - wget
        - net-tools
        - apt-transport-https
        - ca-certificates
        - gnupg
        - lsb-release
        - rsync
        - telnet

    - debug:
        msg: The main interface is {{ ansible_default_ipv4.interface }}

    - name: Create a directory if it does not exist
      file:
        path: /scripts
        state: directory
        mode: '0755'

    - name: "Create user accounts and add users to groups"
      user:
        name: "{{ item }}"
        shell: "/bin/bash"
      with_items: "{{ users }}"

    - name: "Add authorized keys"
      authorized_key:
        user: "{{ item }}"
        key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
      with_items: "{{ users }}"

    - name: Fix Debian10's shitty executables paths
      lineinfile:
        dest: /etc/environment
        line: 'PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"'
        state: present
      when: ansible_distribution == 'Debian' and ansible_distribution_major_version >= '10'

    - name: create rules.v4
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v4"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [372:91728]
          :fail2ban-ssh - [0:0]
          -A INPUT -i lo -j ACCEPT
          -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
          -A INPUT -j DROP
          -A OUTPUT -o lo -j ACCEPT
          -A fail2ban-ssh -j RETURN
          COMMIT
          # Completed on Tue Nov 19 22:41:29 2019

    - name: create rules.v6
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v6"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT DROP [0:0]
          COMMIT
          # Completed on Tue Nov 19 22:58:08 2019

    - name: reload iptables v4
      action: shell /sbin/iptables-restore /scripts/rules.v4

    - name: reload iptables v4
      action: shell /sbin/ip6tables-restore /scripts/rules.v6

    - name: save iptables v4 rules
      shell: iptables-save > /etc/iptables/rules.v4

    - name: save iptables v6 rules
      shell: ip6tables-save > /etc/iptables/rules.v6


    - name: "Copy file with owner and permissions"
      copy:
        backup: yes
        src: "{{ playbook_dir }}/repo/bashrc"
        dest: /root/.bashrc
        owner: root
        group: root
        mode: '0644'

    - name: "Register if we are running baremetal (none), virtualized (kvm) or container (lxc)"
      command: systemd-detect-virt --container
      register: systemd_detect_virt

    # Set vm.swappiness to 1 in /etc/sysctl.conf
    - name: "Set swappiness to zero in sysctl.conf"
      sysctl:
        name: vm.swappiness
        value: '1'
        state: present
        reload: yes
        sysctl_file: /etc/sysctl.conf
      when: systemd_detect_virt.stdout == "none"

    - name: "Set nf_conntrack_max to 131072 in sysctl.conf, suitable for max 4gb of ram, conntrack_max = RAMSIZE (in bytes)/16384/2 = 4*1024*1024*1024/16384/2 = 4*32768 = 131072"
      sysctl:
        name: net.netfilter.nf_conntrack_max
        value: '131072'
        state: present
        reload: yes
        sysctl_file: /etc/sysctl.conf
        #source: https://support.huaweicloud.com/intl/en-us/trouble-ecs/ecs_trouble_0324.html
      when: systemd_detect_virt.stdout == "none"

    - name: Disable IPv6 with sysctl
      sysctl: name={{ item }} value=1 state=present reload=yes
      with_items:
        - net.ipv6.conf.all.disable_ipv6
        - net.ipv6.conf.default.disable_ipv6
        - net.ipv6.conf.lo.disable_ipv6
      when: systemd_detect_virt.stdout == "none"

    - ansible.builtin.include_role:
        name: ssh_hardening

    - name: "copy iptables disable script to/scripts"
      copy:
        backup: yes
        src: "{{ playbook_dir }}/repo/disable_iptables.sh"
        dest: /scripts/disable_iptables.sh
        owner: root
        group: root
        mode: '0744'