import basics from NSA's commission repo

author: bnewbold <bnewbold@robocracy.org> 2016-03-25 11:49:45 -0700
committer: bnewbold <bnewbold@robocracy.org> 2016-03-25 11:49:45 -0700
commit: be8701c13800eb84fc4afb118c16738abee55850 (patch)
tree: 7060e1b8ca09c1c9fd2957ba258a9ad624035d1d /roles/common/tasks
download: infra-be8701c13800eb84fc4afb118c16738abee55850.tar.gz
infra-be8701c13800eb84fc4afb118c16738abee55850.zip
5 files changed, 150 insertions, 0 deletions
diff --git a/roles/common/tasks/extras.yml b/roles/common/tasks/extras.yml
new file mode 100644
index 0000000..9a4bd2f
--- /dev/null
+++ b/roles/common/tasks/extras.yml
@@ -0,0 +1,12 @@
+---
+- name: Install extras that Everybody wants
+  apt: pkg={{ item }} state=installed
+  with_items:
+    - build-essential
+    - cowsay
+    - figlet
+    - ipython
+    - ipython3
+  tags:
+    - dependencies
+
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..d4c2347
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,90 @@
+---
+
+- name: Update apt cache
+  apt: update_cache=yes cache_valid_time=3600
+  tags:
+    - dependencies
+
+- name: Upgrade all safe packages
+  apt: upgrade=safe
+  tags:
+    - dependencies
+
+- name: Install necessities and nice-to-haves
+  apt: pkg={{ item }} state=installed
+  with_items:
+    - apt-transport-https
+    - apticron
+    - aptitude
+    - bzip2
+    - ca-certificates
+    - curl
+    - debian-goodies
+    - dialog
+    - dnsutils
+    - etckeeper
+    # fail2ban in security
+    - file
+    - git
+    - htop
+    - iftop
+    - ifupdown
+    - iotop
+    - iproute
+    - iputils-ping
+    - isc-dhcp-client
+    - less
+    - libui-dialog-perl
+    - locales
+    - locales-all
+    - lsof
+    - lvm2
+    - man-db
+    - manpages-dev
+    - molly-guard
+    - mosh
+    - mtr-tiny
+    - netbase
+    - netcat
+    - net-tools
+    - ngrep
+    - openssh-server
+    - openssl
+    - pv
+    - python
+    - python-software-properties
+    # rkhunter in security
+    - screen
+    - sudo
+    - tcpdump
+    - unzip
+    - unattended-upgrades
+    - vim-nox
+    - wget
+  tags:
+    - dependencies
+
+- name: timezone - configure /etc/timezone
+  copy:
+    content: "{{ common_timezone | regex_replace('$', '\n') }}"
+    dest: /etc/timezone
+    owner: root
+    group: root
+    mode: 0644
+  register: common_timezone_config
+
+- name: timezone - Set localtime to UTC
+  file: src=/usr/share/zoneinfo/Etc/UTC dest=/etc/localtime
+  when: common_timezone_config.changed
+
+- name: timezone - reconfigure tzdata
+  command: dpkg-reconfigure --frontend noninteractive tzdata
+  when: common_timezone_config.changed
+
+- name: Apticron email configuration
+  template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
+
+#- include: users.yml tags=users
+- include: security.yml tags=security
+- include: ntp.yml tags=ntp
+- include: extras.yml tags=extras
diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml
new file mode 100644
index 0000000..c1489fd
--- /dev/null
+++ b/roles/common/tasks/ntp.yml
@@ -0,0 +1,16 @@
+---
+# Defines tasks applicable for NTP (Network Time Protocol)
+
+- name: Install ntp
+  apt: pkg=ntp state=installed
+  tags:
+    - dependencies
+
+- name: Configure ntp
+  template: src=ntp.conf.j2 dest=/etc/ntp.conf
+  notify:
+    - restart ntp
+
+- name: Ensure ntpd is running and enabled
+  service: name=ntp state=started enabled=yes
+
diff --git a/roles/common/tasks/security.yml b/roles/common/tasks/security.yml
new file mode 100644
index 0000000..c00b941
--- /dev/null
+++ b/roles/common/tasks/security.yml
@@ -0,0 +1,26 @@
+---
+- name: Install security-related packages
+  apt: pkg={{ item }} state=installed
+  with_items:
+    - fail2ban
+    - whois
+    - lynis
+    - rkhunter
+    - debsums
+  tags:
+    - dependencies
+
+- name: Copy fail2ban configuration into place
+  template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
+  notify: restart fail2ban
+
+- name: Ensure fail2ban is started
+  service: name=fail2ban state=started enabled=yes
+
+- name: Update sshd (server) config for PFS and more secure defaults
+  template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config
+  notify: restart ssh
+
+- name: Update ssh (client) config for more secure defaults
+  template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config
+
diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml
new file mode 100644
index 0000000..8171bd6
--- /dev/null
+++ b/roles/common/tasks/users.yml
@@ -0,0 +1,6 @@
+---
+- name: Create main user account
+  user: name={{ main_user_name }} state=present shell={{ main_user_shell }} groups=sudo
+
+- name: Give main user account sudo power
+  template: src=roles/common/templates/sudoers.j2 dest=/etc/sudoers.d/sudoers owner=root group=root mode=0440 validate='visudo -cf %s'
author	bnewbold <bnewbold@robocracy.org>	2016-03-25 11:49:45 -0700
committer	bnewbold <bnewbold@robocracy.org>	2016-03-25 11:49:45 -0700
commit	be8701c13800eb84fc4afb118c16738abee55850 (patch)
tree	7060e1b8ca09c1c9fd2957ba258a9ad624035d1d /roles/common/tasks
download	infra-be8701c13800eb84fc4afb118c16738abee55850.tar.gz infra-be8701c13800eb84fc4afb118c16738abee55850.zip