fossilfranv/set_ip_blacklist
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add 'ansible/ubuntu/setup-pb.yml'

Browse Source
This commit is contained in:
fossilfranv 2023-03-15 22:06:26 +01:00
parent 42ce5021d0
commit 93b159085a
1 changed files with 715 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

715
ansible/ubuntu/setup-pb.yml Normal file
View File

@ -0,0 +1,715 @@
# Initial server setup
#
---
- hosts: all
become: yes
vars:
my_client_ip: 192.168.1.75
tmzone: America/Vancouver
sudo_timeout: 60
# Set ufw logging: on | off | low | medium | high | full
ufw_log: off
# SSH socket config used for 22.10 and later.
# Disable any existing listen steam and enable the new stream.
ssh_socket_cfg: |
[Socket]
ListenStream=
ListenStream={{ ssh_port }}
resolved_cfg: |
[Resolve]
DNSStubListener=no
DNS=127.0.0.1
f2b_jail_local: |
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 {{ my_client_ip }}
findtime = 15m
bantime = 2h
maxretry = 5
[sshd]
enabled = true
maxretry = 3
port = {{ ssh_port }}
tasks:
- name: Get datestamp from the system
shell: date +"%Y%m%d"
register: dstamp
- name: Set current date stamp variable
set_fact:
cur_date: "{{ dstamp.stdout }}"
# Update and install the base software
- name: Update apt package cache
apt:
update_cache: yes
cache_valid_time: 3600
- name: Upgrade installed apt packages
apt:
upgrade: dist
register: upgrade
retries: 15
delay: 5
until: upgrade is success
- name: Ensure that a base set of software packages are installed
apt:
pkg:
- apt-transport-https
- build-essential
- fail2ban
- pwgen
- unbound
- unzip
- docker
- docker-compose
- net-tools
- traceroute
state: latest
- name: Create a local systemd-resolved configuration directory.
file:
path: /etc/systemd/resolved.conf.d
state: directory
owner: root
group: root
mode: 0755
- name: Create a local systemd-resolved configuration that works with unbound.
copy:
dest: /etc/systemd/resolved.conf.d/local.conf
content: "{{ resolved_cfg }}"
owner: root
group: root
mode: 0644
- name: Update the systemd-resolved /etc/resolv.conf symbolic link.
file:
src: /run/systemd/resolve/resolv.conf
dest: /etc/resolv.conf
state: link
owner: root
group: root
- name: Restart systemd-resolved
service:
name: systemd-resolved
state: restarted
- name: Check if a reboot is needed for Debian-based systems
stat:
path: /var/run/reboot-required
register: reboot_required
# Host Setup
- name: Set static hostname
hostname:
name: "{{ inventory_hostname_short }}"
- name: Add FQDN to /etc/hosts
lineinfile:
dest: /etc/hosts
regexp: '^127\.0\.1\.1'
line: '127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}'
state: present
- name: Check if cloud init is installed.
stat: path="/etc/cloud/templates/hosts.debian.tmpl"
register: cloud_installed
- name: Add FQDN to /etc/cloud/templates/hosts.debian.tmpl
lineinfile:
dest: /etc/cloud/templates/hosts.debian.tmpl
regexp: '^127\.0\.1\.1'
line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
state: present
when: cloud_installed.stat.exists
- name: set timezone
timezone:
name: "{{ tmzone }}"
# Set sudo password timeout (default is 15 minutes)
- name: Set sudo password timeout.
lineinfile:
path: /etc/sudoers
state: present
regexp: '^Defaults\tenv_reset'
line: 'Defaults env_reset, timestamp_timeout={{ sudo_timeout }}'
validate: '/usr/sbin/visudo -cf %s'
- name: Create/update regular user with sudo privileges
user:
name: "{{ user }}"
password: "{{ user_passwd | password_hash('sha512') }}"
state: present
groups: sudo
append: true
shell: /bin/bash
- name: Ensure ansible_sudo_passwd matches the [new] user password
set_fact:
ansible_sudo_passwd: "{{ user_passwd }}"
- name: Ensure authorized keys for remote user is installed
authorized_key:
user: "{{ user }}"
state: present
key: "{{ ssh_pub_key }}"
- name: Ensure authorized key for root user is installed
authorized_key:
user: root
state: present
key: "{{ ssh_pub_key }}"
- name: Update root user password.
user:
name: root
password: "{{ root_passwd | password_hash('sha512') }}"
- name: Disable password authentication for root
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '^#?PermitRootLogin'
line: 'PermitRootLogin prohibit-password'
- name: Disable tunneled clear-text passwords
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '^PasswordAuthentication yes'
line: 'PasswordAuthentication no'
- name: Set user PS1 to a two-line prompt
lineinfile:
dest: "/home/{{ user }}/.bashrc"
insertafter: EOF
line: "PS1='${debian_chroot:+($debian_chroot)}\\[\\033[01;32m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;34m\\]\\w\\[\\033[00m\\]\\n\\$ '"
state: present
- name: Set root PS1 to a two-line prompt
lineinfile:
path: '/root/.bashrc'
state: present
insertafter: EOF
line: PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\n\$ '
# Configure the UFW firewall
- name: Disable and reset ufw firewall to installation defaults.
ufw:
state: reset
- name: Find backup rules to delete
find:
paths: /etc/ufw
patterns: "*.{{ cur_date }}_*"
use_regex: no
register: files_to_delete
- name: Delete ufw backup rules
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ files_to_delete.files }}"
- name: Set the ssh '{{ ssh_port }}' port number in sshd_config (ver < 22.10).
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^#Port '
line: 'Port {{ ssh_port }}'
state: present
when: ansible_facts['distribution_version'] < '22.10'
- name: Create a ssh.socket.d configuration directory (ver >= 22.10).
file:
path: /etc/systemd/system/ssh.socket.d
state: directory
owner: root
group: root
mode: 0755
when: ansible_facts['distribution_version'] >= '22.10'
- name: Create a local SSH socket stream configuration (ver >= 22.10).
copy:
dest: /etc/systemd/system/ssh.socket.d/listen.conf
content: "{{ ssh_socket_cfg }}"
owner: root
group: root
mode: 0644
when: ansible_facts['distribution_version'] >= '22.10'
- name: daemon-reload (ver >= 22.10)
systemd:
daemon_reload: yes
when: ansible_facts['distribution_version'] >= '22.10'
- name: Restart the ssh service after updating the SSH port number (ver < 22.10).
service:
name: ssh
state: restarted
when: ansible_facts['distribution_version'] < '22.10'
- name: Restart the ssh socket unit after updating the SSH port number (ver >= 22.10).
systemd:
name: ssh.socket
state: restarted
when: ansible_facts['distribution_version'] >= '22.10'
- name: Change the ansible ssh port to '{{ ssh_port }}'
set_fact:
ansible_port: '{{ ssh_port }}'
- name: Allow ssh port '{{ ssh_port }}'.
ufw:
rule: allow
proto: tcp
port: '{{ ssh_port }}'
state: enabled
- name: Set the UFW log level.
ufw:
logging: '{{ ufw_log }}'
- name: configure fail2ban for ssh
copy:
dest: /etc/fail2ban/jail.local
content: "{{ f2b_jail_local }}"
owner: root
group: root
mode: 0644
notify:
- restart fail2ban
- name: enable fail2ban service on boot
service:
name: fail2ban
enabled: true
state: started
# simple shell script to display fail2ban-client status info; usage:
# f2bst
# f2bst sshd
- name: Configure f2bst
copy:
dest: /usr/local/bin/f2bst
content: |
#!/bin/sh
fail2ban-client status $*
owner: root
group: root
mode: 0750
- name: run needrestart
command: needrestart -r a
when: not reboot_required.stat.exists and upgrade.changed
- name: Configure static networking
copy:
src: etc/netplan/50-cloud-init.yaml
dest: /etc/netplan/50-cloud-init.yaml
owner: root
group: root
mode: 0644
notify:
- netplan apply
when: cfg_static_network == true
- name: Report if reboot is needed.
debug:
msg: Rebooting the server, please wait.
when: reboot_required.stat.exists
- name: Reboot the server if needed
reboot:
msg: "Reboot initiated by Ansible because of reboot required file."
connect_timeout: 5
reboot_timeout: 600
pre_reboot_delay: 0
post_reboot_delay: 30
test_command: whoami
when: reboot_required.stat.exists
- name: Remove old packages from the cache
apt:
autoclean: yes
- name: Remove dependencies that are no longer needed
apt:
autoremove: yes
purge: yes
handlers:
- name: restart fail2ban
service:
name: fail2ban
state: restarted
when: reboot_required.stat.exists == false
- name: netplan apply
command: netplan apply
when: cfg_static_network == true