aboutsummaryrefslogtreecommitdiffstats
path: root/roles/common/tasks
diff options
context:
space:
mode:
authorbnewbold <bnewbold@robocracy.org>2016-03-25 11:49:45 -0700
committerbnewbold <bnewbold@robocracy.org>2016-03-25 11:49:45 -0700
commitbe8701c13800eb84fc4afb118c16738abee55850 (patch)
tree7060e1b8ca09c1c9fd2957ba258a9ad624035d1d /roles/common/tasks
downloadinfra-be8701c13800eb84fc4afb118c16738abee55850.tar.gz
infra-be8701c13800eb84fc4afb118c16738abee55850.zip
import basics from NSA's commission repo
Diffstat (limited to 'roles/common/tasks')
-rw-r--r--roles/common/tasks/extras.yml12
-rw-r--r--roles/common/tasks/main.yml90
-rw-r--r--roles/common/tasks/ntp.yml16
-rw-r--r--roles/common/tasks/security.yml26
-rw-r--r--roles/common/tasks/users.yml6
5 files changed, 150 insertions, 0 deletions
diff --git a/roles/common/tasks/extras.yml b/roles/common/tasks/extras.yml
new file mode 100644
index 0000000..9a4bd2f
--- /dev/null
+++ b/roles/common/tasks/extras.yml
@@ -0,0 +1,12 @@
+---
+- name: Install extras that Everybody wants
+ apt: pkg={{ item }} state=installed
+ with_items:
+ - build-essential
+ - cowsay
+ - figlet
+ - ipython
+ - ipython3
+ tags:
+ - dependencies
+
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..d4c2347
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,90 @@
+---
+
+- name: Update apt cache
+ apt: update_cache=yes cache_valid_time=3600
+ tags:
+ - dependencies
+
+- name: Upgrade all safe packages
+ apt: upgrade=safe
+ tags:
+ - dependencies
+
+- name: Install necessities and nice-to-haves
+ apt: pkg={{ item }} state=installed
+ with_items:
+ - apt-transport-https
+ - apticron
+ - aptitude
+ - bzip2
+ - ca-certificates
+ - curl
+ - debian-goodies
+ - dialog
+ - dnsutils
+ - etckeeper
+ # fail2ban in security
+ - file
+ - git
+ - htop
+ - iftop
+ - ifupdown
+ - iotop
+ - iproute
+ - iputils-ping
+ - isc-dhcp-client
+ - less
+ - libui-dialog-perl
+ - locales
+ - locales-all
+ - lsof
+ - lvm2
+ - man-db
+ - manpages-dev
+ - molly-guard
+ - mosh
+ - mtr-tiny
+ - netbase
+ - netcat
+ - net-tools
+ - ngrep
+ - openssh-server
+ - openssl
+ - pv
+ - python
+ - python-software-properties
+ # rkhunter in security
+ - screen
+ - sudo
+ - tcpdump
+ - unzip
+ - unattended-upgrades
+ - vim-nox
+ - wget
+ tags:
+ - dependencies
+
+- name: timezone - configure /etc/timezone
+ copy:
+ content: "{{ common_timezone | regex_replace('$', '\n') }}"
+ dest: /etc/timezone
+ owner: root
+ group: root
+ mode: 0644
+ register: common_timezone_config
+
+- name: timezone - Set localtime to UTC
+ file: src=/usr/share/zoneinfo/Etc/UTC dest=/etc/localtime
+ when: common_timezone_config.changed
+
+- name: timezone - reconfigure tzdata
+ command: dpkg-reconfigure --frontend noninteractive tzdata
+ when: common_timezone_config.changed
+
+- name: Apticron email configuration
+ template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
+
+#- include: users.yml tags=users
+- include: security.yml tags=security
+- include: ntp.yml tags=ntp
+- include: extras.yml tags=extras
diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml
new file mode 100644
index 0000000..c1489fd
--- /dev/null
+++ b/roles/common/tasks/ntp.yml
@@ -0,0 +1,16 @@
+---
+# Defines tasks applicable for NTP (Network Time Protocol)
+
+- name: Install ntp
+ apt: pkg=ntp state=installed
+ tags:
+ - dependencies
+
+- name: Configure ntp
+ template: src=ntp.conf.j2 dest=/etc/ntp.conf
+ notify:
+ - restart ntp
+
+- name: Ensure ntpd is running and enabled
+ service: name=ntp state=started enabled=yes
+
diff --git a/roles/common/tasks/security.yml b/roles/common/tasks/security.yml
new file mode 100644
index 0000000..c00b941
--- /dev/null
+++ b/roles/common/tasks/security.yml
@@ -0,0 +1,26 @@
+---
+- name: Install security-related packages
+ apt: pkg={{ item }} state=installed
+ with_items:
+ - fail2ban
+ - whois
+ - lynis
+ - rkhunter
+ - debsums
+ tags:
+ - dependencies
+
+- name: Copy fail2ban configuration into place
+ template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
+ notify: restart fail2ban
+
+- name: Ensure fail2ban is started
+ service: name=fail2ban state=started enabled=yes
+
+- name: Update sshd (server) config for PFS and more secure defaults
+ template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config
+ notify: restart ssh
+
+- name: Update ssh (client) config for more secure defaults
+ template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config
+
diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml
new file mode 100644
index 0000000..8171bd6
--- /dev/null
+++ b/roles/common/tasks/users.yml
@@ -0,0 +1,6 @@
+---
+- name: Create main user account
+ user: name={{ main_user_name }} state=present shell={{ main_user_shell }} groups=sudo
+
+- name: Give main user account sudo power
+ template: src=roles/common/templates/sudoers.j2 dest=/etc/sudoers.d/sudoers owner=root group=root mode=0440 validate='visudo -cf %s'