summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/common/tasks/main.yml')
-rw-r--r--ansible/roles/common/tasks/main.yml301
1 files changed, 301 insertions, 0 deletions
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml
new file mode 100644
index 0000000..23de53c
--- /dev/null
+++ b/ansible/roles/common/tasks/main.yml
@@ -0,0 +1,301 @@
1---
2# You can manually view how your OS-provided packages are supported with:
3# ubuntu-support-status --show-all
4- name: update packages
5 apt:
6 update_cache: yes
7 upgrade: safe
8 cache_valid_time: 3600
9
10
11- name: fix inputrc
12 copy:
13 src: inputrc
14 dest: /etc/inputrc
15 owner: root
16 group: root
17 mode: 0644
18
19- name: fix vimrc
20 copy:
21 src: vimrc.local
22 dest: /etc/vim/
23 owner: root
24 group: root
25 mode: 0644
26
27
28- include_role:
29 name: ramdisk
30
31
32- name: remove ubuntu call home reporting cron
33 cron:
34 cron_file: popularity-contest
35 state: absent
36
37
38- name: remove low port restriction
39 sysctl:
40 name: net.ipv4.ip_unprivileged_port_start
41 value: 0
42 state: present
43 sysctl_set: yes
44
45
46# 3 means enable for outgoing and incoming connections
47# 2 means enable for incoming connections
48# 1 means enable for outgoing connections
49# 0 means disabled
50# Linux 3.13 (2014-01-19) and newer
51- name: enable server and client TCP_FASTOPEN
52 sysctl:
53 name: net.ipv4.tcp_fastopen
54 value: 3
55 state: present
56 sysctl_set: yes
57
58
59# These were taken from:
60# https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups
61- name: populate known-good dhparams
62 copy:
63 src: "{{ item }}"
64 dest: "/etc/ssl/{{ item }}"
65 loop:
66 - ffdhe2048.pem
67 - ffdhe3072.pem
68 - ffdhe4096.pem
69
70
71- name: configure /etc/hostname
72 hostname:
73 name: "{{ inventory_hostname }}"
74
75 #- name: Add IP address of all hosts to all hosts
76 # lineinfile:
77 # state: present
78 # dest: /etc/hosts
79 # regexp: '.*{{ item }}$'
80 # line: "{{ hostvars[item].ansible_default_ipv4.address }} {{item}}"
81 # when: hostvars[item].ansible_default_ipv4.address is defined
82 # with_items: "{{ groups['all'] }}"
83
84
85- name: configure sshd to only listen on IPv4
86 lineinfile:
87 dest: /etc/ssh/sshd_config
88 regexp: '^#?AddressFamily'
89 line: "AddressFamily inet" # no ipv6
90 state: present
91 notify: reload sshd
92
93
94 # Capture example:
95 #- replace:
96 # path: /etc/hosts
97 # regexp: '(\s+)old\.host\.name(\s+.*)?$'
98 # replace: '\1new.host.name\2'
99 # backup: yes
100
101
102- name: fix motd
103 replace:
104 path: /etc/default/motd-news
105 regexp: 'https://motd.ubuntu.com'
106 replace: 'https://matt.sh/motd'
107 notify:
108 - clear motd cache
109
110
111# Verify against:
112# systemctl list-timers
113- name: disable more automated call home reporting
114 systemd:
115 name: "{{ item }}"
116 state: stopped
117 enabled: False
118 loop:
119 - apt-daily-upgrade.timer
120 - apt-daily.timer
121 - motd-news.timer
122
123
124- name: remove ubuntu self-advertising
125 file:
126 path: "/etc/update-motd.d/{{ item }}"
127 state: absent
128 loop:
129 - 91-release-upgrade
130 - 80-livepatch
131 - 10-help-text
132 notify:
133 - clear motd cache
134
135
136# Ubuntu's pam_motd.so shows you /etc/legal
137# on login if you don't have ~/.cache/motd.legal-displayed
138# There is no way to disable the creation of that file in ~/.cache on login,
139# but we can wipe out the message for new users.
140- name: remove login disclaimer
141 file:
142 path: /etc/legal
143 state: absent
144
145
146- name: place net-listeners.py
147 copy:
148 src: net-listeners.py
149 dest: /usr/local/bin/
150 owner: root
151 group: root
152 mode: 0755
153
154- name: place scp/rsync-only ssh restriction capability
155 copy:
156 src: ssh-transfer-only.sh
157 dest: /usr/local/bin/
158 owner: root
159 group: root
160 mode: 0755
161
162# can't setsid 04755 scripts, so enable script with global passwordless sudo
163- name: enable all user running of net-listeners.py
164 lineinfile:
165 path: /etc/sudoers.d/net-listeners
166 regexp: "listeners.py"
167 line: "ALL ALL = (root) NOPASSWD: /usr/local/bin/net-listeners.py"
168 create: yes
169 mode: 0440
170
171- name: add uptime and uname to login motd
172 lineinfile:
173 dest: /etc/update-motd.d/00-header
174 line: "{{ item }}"
175 state: present
176 loop:
177 - printf "\n$(w -us)\n"
178
179- name: add listening watcher to global login config
180 lineinfile:
181 dest: /etc/bash.bashrc
182 line: "{{ item }}"
183 state: present
184 loop:
185 # Only show output when running a login, not when starting a sudo shell
186 - "[[ -z $SUDO_UID ]] && sudo /usr/local/bin/net-listeners.py"
187
188- name: ensure system grub template has serial access
189 lineinfile:
190 dest: /etc/default/grub
191 regexp: '^GRUB_CMDLINE_LINUX='
192 line: 'GRUB_CMDLINE_LINUX="console=ttyS0 {{ grub.extras }}"'
193 state: present
194 notify: reload grub
195
196
197# This is an ops opinion. For more advanced needs, modify here or just template
198# the entire sshd_config directly.
199- name: configure sshd to only listen on local IP
200 lineinfile:
201 dest: /etc/ssh/sshd_config
202 regexp: '^#?ListenAddress'
203 line: "ListenAddress {{ hostvars[inventory_hostname]['ansible_' + network.interface.private]['ipv4']['address'] }}"
204 state: present
205 notify: reload sshd
206
207
208- name: install system tools
209 apt:
210 pkg:
211 # acl is required for ansible to "become_user" as someone non-root because
212 # of permissions on its temporary files. Ansible will setfacl on temp files
213 # so it doesn't have to 0666 everything just so a new user can modify things.
214 - acl
215
216 # you aren't a linux server without sending nightly summary emails
217 - logwatch
218
219 # apt helpers for repo installs not included by default for some reason
220 - software-properties-common
221
222 # production CA bundles so we don't get unknown CA errors
223 - ca-certificates
224
225 # Maintains high numbers in /proc/sys/kernel/random/entropy_avail
226 - rng-tools
227
228 # should we use a more modern thing than collect? distributed osquery?
229 - collectd
230
231 # make sure 'install_recommends: no' or this installs lots of other stuff
232 - vim-nox
233
234 # rrdtool only installed so we can be lazy and generate graphs on-demand
235 # with: /usr/share/doc/collectd-core/examples/collectd2html.pl
236 # TODO: enable centralized reporting system
237 - rrdtool
238
239 # netstat, mii-tool, etc
240 - net-tools
241 install_recommends: no
242 state: latest
243
244# use a modern ntp client+server.
245#
246# systemd actually has a built-in ntp client called 'systemd-timesyncd'
247# You can view its status with:
248# journalctl -u systemd-timesyncd
249# timedatectl
250#
251# Installing chrony will disable systemd-timesyncd
252# (represented in apt with "Replaces: time-daemon")
253# but it doesn't _actually_ disable it according to timedatectl (bug?)
254# so we also manually run 'timedatectl set-ntp false' just to confirm.
255# A good writeup about systemd-timesyncd lives at:
256# https://wiki.archlinux.org/index.php/systemd-timesyncd
257#
258# You can view your live chrony status with:
259# chronyc tracking
260# chronyc sources
261# chronyc sourcestats
262#
263# ...and that's a lot more detail than the built-in garabage systemd-timesyncd
264# client will tell you about how your system time is being managed.
265#
266# chrony is both an ntp client with a remote administration interface
267# and an ntp server, but by default chrony does not enable remote admin
268# or ntp serving without additional explicit configuration (chrony.conf).
269#
270# For more details about becoming an ntp server and remote time administartion,
271# see sections 2.2 and 2.5 of:
272# https://chrony.tuxfamily.org/faq.html#_how_do_i_make_an_ntp_server_from_an_ntp_client
273- name: install ntp client
274 apt:
275 pkg: chrony
276 state: latest
277 notify:
278 - double disable systemd ntp client
279
280# If ansible facts aren't enough, we can get puppet and chef facts too:
281#- name: install facter
282# apt:
283# pkg: facter
284# state: latest
285#
286#- name: install ohai
287# apt:
288# pkg: facter
289# state: latest
290
291
292# cleanup
293- name: cleanup packaging
294 apt:
295 autoclean: yes
296 autoremove: yes
297
298# If needed, build and provide:
299#
300# Build for nsjail:
301# apt install protobu* bison flex pkg-config libprotobuf-dev
Powered by cgit v1.2.3 (git 2.41.0)