diff options
author | bnewbold <bnewbold@robocracy.org> | 2016-03-25 11:49:45 -0700 |
---|---|---|
committer | bnewbold <bnewbold@robocracy.org> | 2016-03-25 11:49:45 -0700 |
commit | be8701c13800eb84fc4afb118c16738abee55850 (patch) | |
tree | 7060e1b8ca09c1c9fd2957ba258a9ad624035d1d /roles/common/tasks | |
download | infra-be8701c13800eb84fc4afb118c16738abee55850.tar.gz infra-be8701c13800eb84fc4afb118c16738abee55850.zip |
import basics from NSA's commission repo
Diffstat (limited to 'roles/common/tasks')
-rw-r--r-- | roles/common/tasks/extras.yml | 12 | ||||
-rw-r--r-- | roles/common/tasks/main.yml | 90 | ||||
-rw-r--r-- | roles/common/tasks/ntp.yml | 16 | ||||
-rw-r--r-- | roles/common/tasks/security.yml | 26 | ||||
-rw-r--r-- | roles/common/tasks/users.yml | 6 |
5 files changed, 150 insertions, 0 deletions
diff --git a/roles/common/tasks/extras.yml b/roles/common/tasks/extras.yml new file mode 100644 index 0000000..9a4bd2f --- /dev/null +++ b/roles/common/tasks/extras.yml @@ -0,0 +1,12 @@ +--- +- name: Install extras that Everybody wants + apt: pkg={{ item }} state=installed + with_items: + - build-essential + - cowsay + - figlet + - ipython + - ipython3 + tags: + - dependencies + diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..d4c2347 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,90 @@ +--- + +- name: Update apt cache + apt: update_cache=yes cache_valid_time=3600 + tags: + - dependencies + +- name: Upgrade all safe packages + apt: upgrade=safe + tags: + - dependencies + +- name: Install necessities and nice-to-haves + apt: pkg={{ item }} state=installed + with_items: + - apt-transport-https + - apticron + - aptitude + - bzip2 + - ca-certificates + - curl + - debian-goodies + - dialog + - dnsutils + - etckeeper + # fail2ban in security + - file + - git + - htop + - iftop + - ifupdown + - iotop + - iproute + - iputils-ping + - isc-dhcp-client + - less + - libui-dialog-perl + - locales + - locales-all + - lsof + - lvm2 + - man-db + - manpages-dev + - molly-guard + - mosh + - mtr-tiny + - netbase + - netcat + - net-tools + - ngrep + - openssh-server + - openssl + - pv + - python + - python-software-properties + # rkhunter in security + - screen + - sudo + - tcpdump + - unzip + - unattended-upgrades + - vim-nox + - wget + tags: + - dependencies + +- name: timezone - configure /etc/timezone + copy: + content: "{{ common_timezone | regex_replace('$', '\n') }}" + dest: /etc/timezone + owner: root + group: root + mode: 0644 + register: common_timezone_config + +- name: timezone - Set localtime to UTC + file: src=/usr/share/zoneinfo/Etc/UTC dest=/etc/localtime + when: common_timezone_config.changed + +- name: timezone - reconfigure tzdata + command: dpkg-reconfigure --frontend noninteractive tzdata + when: common_timezone_config.changed + +- name: Apticron email configuration + template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf + +#- include: users.yml tags=users +- include: security.yml tags=security +- include: ntp.yml tags=ntp +- include: extras.yml tags=extras diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml new file mode 100644 index 0000000..c1489fd --- /dev/null +++ b/roles/common/tasks/ntp.yml @@ -0,0 +1,16 @@ +--- +# Defines tasks applicable for NTP (Network Time Protocol) + +- name: Install ntp + apt: pkg=ntp state=installed + tags: + - dependencies + +- name: Configure ntp + template: src=ntp.conf.j2 dest=/etc/ntp.conf + notify: + - restart ntp + +- name: Ensure ntpd is running and enabled + service: name=ntp state=started enabled=yes + diff --git a/roles/common/tasks/security.yml b/roles/common/tasks/security.yml new file mode 100644 index 0000000..c00b941 --- /dev/null +++ b/roles/common/tasks/security.yml @@ -0,0 +1,26 @@ +--- +- name: Install security-related packages + apt: pkg={{ item }} state=installed + with_items: + - fail2ban + - whois + - lynis + - rkhunter + - debsums + tags: + - dependencies + +- name: Copy fail2ban configuration into place + template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local + notify: restart fail2ban + +- name: Ensure fail2ban is started + service: name=fail2ban state=started enabled=yes + +- name: Update sshd (server) config for PFS and more secure defaults + template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config + notify: restart ssh + +- name: Update ssh (client) config for more secure defaults + template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config + diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml new file mode 100644 index 0000000..8171bd6 --- /dev/null +++ b/roles/common/tasks/users.yml @@ -0,0 +1,6 @@ +--- +- name: Create main user account + user: name={{ main_user_name }} state=present shell={{ main_user_shell }} groups=sudo + +- name: Give main user account sudo power + template: src=roles/common/templates/sudoers.j2 dest=/etc/sudoers.d/sudoers owner=root group=root mode=0440 validate='visudo -cf %s' |