diff options
Diffstat (limited to 'ansible/roles/common/tasks/main.yml')
-rw-r--r-- | ansible/roles/common/tasks/main.yml | 301 |
1 files changed, 301 insertions, 0 deletions
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml new file mode 100644 index 0000000..23de53c --- /dev/null +++ b/ansible/roles/common/tasks/main.yml | |||
@@ -0,0 +1,301 @@ | |||
1 | --- | ||
2 | # You can manually view how your OS-provided packages are supported with: | ||
3 | # ubuntu-support-status --show-all | ||
4 | - name: update packages | ||
5 | apt: | ||
6 | update_cache: yes | ||
7 | upgrade: safe | ||
8 | cache_valid_time: 3600 | ||
9 | |||
10 | |||
11 | - name: fix inputrc | ||
12 | copy: | ||
13 | src: inputrc | ||
14 | dest: /etc/inputrc | ||
15 | owner: root | ||
16 | group: root | ||
17 | mode: 0644 | ||
18 | |||
19 | - name: fix vimrc | ||
20 | copy: | ||
21 | src: vimrc.local | ||
22 | dest: /etc/vim/ | ||
23 | owner: root | ||
24 | group: root | ||
25 | mode: 0644 | ||
26 | |||
27 | |||
28 | - include_role: | ||
29 | name: ramdisk | ||
30 | |||
31 | |||
32 | - name: remove ubuntu call home reporting cron | ||
33 | cron: | ||
34 | cron_file: popularity-contest | ||
35 | state: absent | ||
36 | |||
37 | |||
38 | - name: remove low port restriction | ||
39 | sysctl: | ||
40 | name: net.ipv4.ip_unprivileged_port_start | ||
41 | value: 0 | ||
42 | state: present | ||
43 | sysctl_set: yes | ||
44 | |||
45 | |||
46 | # 3 means enable for outgoing and incoming connections | ||
47 | # 2 means enable for incoming connections | ||
48 | # 1 means enable for outgoing connections | ||
49 | # 0 means disabled | ||
50 | # Linux 3.13 (2014-01-19) and newer | ||
51 | - name: enable server and client TCP_FASTOPEN | ||
52 | sysctl: | ||
53 | name: net.ipv4.tcp_fastopen | ||
54 | value: 3 | ||
55 | state: present | ||
56 | sysctl_set: yes | ||
57 | |||
58 | |||
59 | # These were taken from: | ||
60 | # https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups | ||
61 | - name: populate known-good dhparams | ||
62 | copy: | ||
63 | src: "{{ item }}" | ||
64 | dest: "/etc/ssl/{{ item }}" | ||
65 | loop: | ||
66 | - ffdhe2048.pem | ||
67 | - ffdhe3072.pem | ||
68 | - ffdhe4096.pem | ||
69 | |||
70 | |||
71 | - name: configure /etc/hostname | ||
72 | hostname: | ||
73 | name: "{{ inventory_hostname }}" | ||
74 | |||
75 | #- name: Add IP address of all hosts to all hosts | ||
76 | # lineinfile: | ||
77 | # state: present | ||
78 | # dest: /etc/hosts | ||
79 | # regexp: '.*{{ item }}$' | ||
80 | # line: "{{ hostvars[item].ansible_default_ipv4.address }} {{item}}" | ||
81 | # when: hostvars[item].ansible_default_ipv4.address is defined | ||
82 | # with_items: "{{ groups['all'] }}" | ||
83 | |||
84 | |||
85 | - name: configure sshd to only listen on IPv4 | ||
86 | lineinfile: | ||
87 | dest: /etc/ssh/sshd_config | ||
88 | regexp: '^#?AddressFamily' | ||
89 | line: "AddressFamily inet" # no ipv6 | ||
90 | state: present | ||
91 | notify: reload sshd | ||
92 | |||
93 | |||
94 | # Capture example: | ||
95 | #- replace: | ||
96 | # path: /etc/hosts | ||
97 | # regexp: '(\s+)old\.host\.name(\s+.*)?$' | ||
98 | # replace: '\1new.host.name\2' | ||
99 | # backup: yes | ||
100 | |||
101 | |||
102 | - name: fix motd | ||
103 | replace: | ||
104 | path: /etc/default/motd-news | ||
105 | regexp: 'https://motd.ubuntu.com' | ||
106 | replace: 'https://matt.sh/motd' | ||
107 | notify: | ||
108 | - clear motd cache | ||
109 | |||
110 | |||
111 | # Verify against: | ||
112 | # systemctl list-timers | ||
113 | - name: disable more automated call home reporting | ||
114 | systemd: | ||
115 | name: "{{ item }}" | ||
116 | state: stopped | ||
117 | enabled: False | ||
118 | loop: | ||
119 | - apt-daily-upgrade.timer | ||
120 | - apt-daily.timer | ||
121 | - motd-news.timer | ||
122 | |||
123 | |||
124 | - name: remove ubuntu self-advertising | ||
125 | file: | ||
126 | path: "/etc/update-motd.d/{{ item }}" | ||
127 | state: absent | ||
128 | loop: | ||
129 | - 91-release-upgrade | ||
130 | - 80-livepatch | ||
131 | - 10-help-text | ||
132 | notify: | ||
133 | - clear motd cache | ||
134 | |||
135 | |||
136 | # Ubuntu's pam_motd.so shows you /etc/legal | ||
137 | # on login if you don't have ~/.cache/motd.legal-displayed | ||
138 | # There is no way to disable the creation of that file in ~/.cache on login, | ||
139 | # but we can wipe out the message for new users. | ||
140 | - name: remove login disclaimer | ||
141 | file: | ||
142 | path: /etc/legal | ||
143 | state: absent | ||
144 | |||
145 | |||
146 | - name: place net-listeners.py | ||
147 | copy: | ||
148 | src: net-listeners.py | ||
149 | dest: /usr/local/bin/ | ||
150 | owner: root | ||
151 | group: root | ||
152 | mode: 0755 | ||
153 | |||
154 | - name: place scp/rsync-only ssh restriction capability | ||
155 | copy: | ||
156 | src: ssh-transfer-only.sh | ||
157 | dest: /usr/local/bin/ | ||
158 | owner: root | ||
159 | group: root | ||
160 | mode: 0755 | ||
161 | |||
162 | # can't setsid 04755 scripts, so enable script with global passwordless sudo | ||
163 | - name: enable all user running of net-listeners.py | ||
164 | lineinfile: | ||
165 | path: /etc/sudoers.d/net-listeners | ||
166 | regexp: "listeners.py" | ||
167 | line: "ALL ALL = (root) NOPASSWD: /usr/local/bin/net-listeners.py" | ||
168 | create: yes | ||
169 | mode: 0440 | ||
170 | |||
171 | - name: add uptime and uname to login motd | ||
172 | lineinfile: | ||
173 | dest: /etc/update-motd.d/00-header | ||
174 | line: "{{ item }}" | ||
175 | state: present | ||
176 | loop: | ||
177 | - printf "\n$(w -us)\n" | ||
178 | |||
179 | - name: add listening watcher to global login config | ||
180 | lineinfile: | ||
181 | dest: /etc/bash.bashrc | ||
182 | line: "{{ item }}" | ||
183 | state: present | ||
184 | loop: | ||
185 | # Only show output when running a login, not when starting a sudo shell | ||
186 | - "[[ -z $SUDO_UID ]] && sudo /usr/local/bin/net-listeners.py" | ||
187 | |||
188 | - name: ensure system grub template has serial access | ||
189 | lineinfile: | ||
190 | dest: /etc/default/grub | ||
191 | regexp: '^GRUB_CMDLINE_LINUX=' | ||
192 | line: 'GRUB_CMDLINE_LINUX="console=ttyS0 {{ grub.extras }}"' | ||
193 | state: present | ||
194 | notify: reload grub | ||
195 | |||
196 | |||
197 | # This is an ops opinion. For more advanced needs, modify here or just template | ||
198 | # the entire sshd_config directly. | ||
199 | - name: configure sshd to only listen on local IP | ||
200 | lineinfile: | ||
201 | dest: /etc/ssh/sshd_config | ||
202 | regexp: '^#?ListenAddress' | ||
203 | line: "ListenAddress {{ hostvars[inventory_hostname]['ansible_' + network.interface.private]['ipv4']['address'] }}" | ||
204 | state: present | ||
205 | notify: reload sshd | ||
206 | |||
207 | |||
208 | - name: install system tools | ||
209 | apt: | ||
210 | pkg: | ||
211 | # acl is required for ansible to "become_user" as someone non-root because | ||
212 | # of permissions on its temporary files. Ansible will setfacl on temp files | ||
213 | # so it doesn't have to 0666 everything just so a new user can modify things. | ||
214 | - acl | ||
215 | |||
216 | # you aren't a linux server without sending nightly summary emails | ||
217 | - logwatch | ||
218 | |||
219 | # apt helpers for repo installs not included by default for some reason | ||
220 | - software-properties-common | ||
221 | |||
222 | # production CA bundles so we don't get unknown CA errors | ||
223 | - ca-certificates | ||
224 | |||
225 | # Maintains high numbers in /proc/sys/kernel/random/entropy_avail | ||
226 | - rng-tools | ||
227 | |||
228 | # should we use a more modern thing than collect? distributed osquery? | ||
229 | - collectd | ||
230 | |||
231 | # make sure 'install_recommends: no' or this installs lots of other stuff | ||
232 | - vim-nox | ||
233 | |||
234 | # rrdtool only installed so we can be lazy and generate graphs on-demand | ||
235 | # with: /usr/share/doc/collectd-core/examples/collectd2html.pl | ||
236 | # TODO: enable centralized reporting system | ||
237 | - rrdtool | ||
238 | |||
239 | # netstat, mii-tool, etc | ||
240 | - net-tools | ||
241 | install_recommends: no | ||
242 | state: latest | ||
243 | |||
244 | # use a modern ntp client+server. | ||
245 | # | ||
246 | # systemd actually has a built-in ntp client called 'systemd-timesyncd' | ||
247 | # You can view its status with: | ||
248 | # journalctl -u systemd-timesyncd | ||
249 | # timedatectl | ||
250 | # | ||
251 | # Installing chrony will disable systemd-timesyncd | ||
252 | # (represented in apt with "Replaces: time-daemon") | ||
253 | # but it doesn't _actually_ disable it according to timedatectl (bug?) | ||
254 | # so we also manually run 'timedatectl set-ntp false' just to confirm. | ||
255 | # A good writeup about systemd-timesyncd lives at: | ||
256 | # https://wiki.archlinux.org/index.php/systemd-timesyncd | ||
257 | # | ||
258 | # You can view your live chrony status with: | ||
259 | # chronyc tracking | ||
260 | # chronyc sources | ||
261 | # chronyc sourcestats | ||
262 | # | ||
263 | # ...and that's a lot more detail than the built-in garabage systemd-timesyncd | ||
264 | # client will tell you about how your system time is being managed. | ||
265 | # | ||
266 | # chrony is both an ntp client with a remote administration interface | ||
267 | # and an ntp server, but by default chrony does not enable remote admin | ||
268 | # or ntp serving without additional explicit configuration (chrony.conf). | ||
269 | # | ||
270 | # For more details about becoming an ntp server and remote time administartion, | ||
271 | # see sections 2.2 and 2.5 of: | ||
272 | # https://chrony.tuxfamily.org/faq.html#_how_do_i_make_an_ntp_server_from_an_ntp_client | ||
273 | - name: install ntp client | ||
274 | apt: | ||
275 | pkg: chrony | ||
276 | state: latest | ||
277 | notify: | ||
278 | - double disable systemd ntp client | ||
279 | |||
280 | # If ansible facts aren't enough, we can get puppet and chef facts too: | ||
281 | #- name: install facter | ||
282 | # apt: | ||
283 | # pkg: facter | ||
284 | # state: latest | ||
285 | # | ||
286 | #- name: install ohai | ||
287 | # apt: | ||
288 | # pkg: facter | ||
289 | # state: latest | ||
290 | |||
291 | |||
292 | # cleanup | ||
293 | - name: cleanup packaging | ||
294 | apt: | ||
295 | autoclean: yes | ||
296 | autoremove: yes | ||
297 | |||
298 | # If needed, build and provide: | ||
299 | # | ||
300 | # Build for nsjail: | ||
301 | # apt install protobu* bison flex pkg-config libprotobuf-dev | ||