From 7e029a0d33690556fc396aa33f6d832bb3c610ed Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sat, 7 Nov 2020 14:42:58 +0100 Subject: [PATCH] Initial commit --- defaults/main.yml | 3 + handlers/main.yml | 71 ++++++++++++++++++++++ handlers/user.yml | 19 ++++++ meta/main.yml | 15 +++++ tasks/host.yml | 15 +++++ tasks/known_hosts.yml | 39 +++++++++++++ tasks/main.yml | 51 ++++++++++++++++ tasks/network.yml | 27 +++++++++ tasks/nginx.yml | 18 ++++++ tasks/poetry.yml | 73 +++++++++++++++++++++++ tasks/ssl.yml | 39 +++++++++++++ tasks/sudoers.yml | 7 +++ templates/hostname.j2 | 3 + templates/hosts.j2 | 9 +++ templates/network.j2 | 9 +++ templates/nftables.j2 | 19 ++++++ templates/nginx.conf.j2 | 51 ++++++++++++++++ templates/sshd_config.j2 | 123 +++++++++++++++++++++++++++++++++++++++ templates/sudoers.j2 | 3 + vars/archlinux.yml | 2 + vars/debian-buster.yml | 1 + vars/ubuntu-focal.yml | 1 + 22 files changed, 598 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 handlers/user.yml create mode 100644 meta/main.yml create mode 100644 tasks/host.yml create mode 100644 tasks/known_hosts.yml create mode 100644 tasks/main.yml create mode 100644 tasks/network.yml create mode 100644 tasks/nginx.yml create mode 100644 tasks/poetry.yml create mode 100644 tasks/ssl.yml create mode 100644 tasks/sudoers.yml create mode 100644 templates/hostname.j2 create mode 100644 templates/hosts.j2 create mode 100644 templates/network.j2 create mode 100644 templates/nftables.j2 create mode 100644 templates/nginx.conf.j2 create mode 100644 templates/sshd_config.j2 create mode 100644 templates/sudoers.j2 create mode 100644 vars/archlinux.yml create mode 100644 vars/debian-buster.yml create mode 100644 vars/ubuntu-focal.yml diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..d2d3c30 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,3 @@ +poetry_url: "https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py" +poetry_user: "{{ ansible_user | default(lookup('env', 'USER'), True) }}" +poetry_dir: "{{ ansible_env.HOME }}/.poetry" diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..7eb7634 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,71 @@ +- name: reload ssh + systemd: + name: ssh + state: restarted + enabled: yes + daemon-reload: yes + +- name: restart nftables + systemd: + name: nftables + state: restarted + enabled: yes + daemon-reload: yes + +- name: restart nginx + systemd: + name: nginx + state: restarted + enabled: yes + daemon-reload: yes + +- name: restart docker + systemd: + name: docker + state: restarted + enabled: yes + daemon-reload: yes + +- name: restart rabbitmq + systemd: + name: rabbitmq-server + state: restarted + enabled: yes + daemon-reload: yes + +- name: restart memcached + systemd: + name: memcached + state: restarted + enabled: yes + daemon-reload: yes + +- name: restart postfix + systemd: + name: postfix + state: restarted + enabled: yes + daemon-reload: yes + +- name: restart postgres + systemd: + name: postgresql@11-main + state: restarted + enabled: yes + daemon-reload: yes + +- name: restart systemd-networkd + systemd: + name: systemd-networkd + state: restarted + enabled: yes + daemon-reload: yes + +- name: restart systemd-resolved + systemd: + name: systemd-resolved + state: restarted + enabled: yes + daemon-reload: yes + +- include: user.yml diff --git a/handlers/user.yml b/handlers/user.yml new file mode 100644 index 0000000..8cf4b1a --- /dev/null +++ b/handlers/user.yml @@ -0,0 +1,19 @@ +- name: start user tmux service + become_user: "{{ default_user }}" + become: yes + systemd: + daemon-reload: yes + name: tmux + state: started + enabled: yes + scope: user + +- name: restart user tmux service + become_user: "{{ default_user }}" + become: yes + systemd: + daemon-reload: yes + name: tmux + state: restarted + enabled: yes + scope: user diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..1e19aa6 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,15 @@ +dependencies: [] + +galaxy_info: + author: sonny + description: "Common tasks" + license: "license GPLv3" + min_ansible_version: 2.7 + issue_tracker_url: "https://git.fudiggity.nl/ansible/common/-/issues" + platforms: + - name: Debian + versions: + - buster + galaxy_tags: + - development + - system diff --git a/tasks/host.yml b/tasks/host.yml new file mode 100644 index 0000000..818e7c2 --- /dev/null +++ b/tasks/host.yml @@ -0,0 +1,15 @@ +- name: copy hostname + template: + src: "hostname.j2" + dest: "/etc/hostname" + owner: root + group: root + mode: "0644" + +- name: copy hosts + template: + src: "hosts.j2" + dest: "/etc/hosts" + owner: root + group: root + mode: "0644" diff --git a/tasks/known_hosts.yml b/tasks/known_hosts.yml new file mode 100644 index 0000000..d8abe99 --- /dev/null +++ b/tasks/known_hosts.yml @@ -0,0 +1,39 @@ +- name: load OS specific vars + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}.yml" + - "{{ ansible_distribution|lower }}.yml" + - "{{ ansible_os_family|lower }}.yml" + paths: + - "{{ role_path }}/vars" + +- name: install packages + become: yes + package: + name: "{{ item }}" + state: present + loop: "{{ known_hosts_packages }}" + +- name: retrieve user $HOME + shell: "echo $HOME" # noqa 301 + become_user: "{{ user }}" + register: home_stats + +- name: set user $HOME + set_fact: + user_home: "{{ home_stats.stdout }}" + +- name: create local ssh directory + become_user: "{{ user }}" + file: + path: "{{ user_home }}/.ssh" + state: directory + mode: "0755" + +- name: add items to known hosts + become_user: "{{ user }}" + known_hosts: + name: "{{ item.domain }}" + key: "{{ item.key }}" + loop: "{{ items }}" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..2811ac4 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,51 @@ +- include_tasks: "sudoers.yml" + loop: + - { src: "sudoers.j2", dest: "/etc/sudoers.d/20-ansible-extra" } + +- name: copy ssh template + template: + src: "sshd_config.j2" + dest: "/etc/ssh/sshd_config" + owner: root + group: root + mode: "0644" + notify: reload ssh + +- name: viva la hollande + locale_gen: + name: nl_NL.UTF-8 + state: present + +- name: ensure basic tooling is installed + apt: + name: + - acl + - man + - apt-transport-https + - ca-certificates + - software-properties-common + - policykit-1 + - libpolkit-agent-1-0 + - nftables + - openssh-client + - bash-completion + - git + - vim + - curl + - tree + - haveged + - rsync + state: present + +- name: copy firewall template + template: + src: "nftables.j2" + dest: "/etc/nftables.conf" + owner: root + group: root + mode: "0600" + notify: restart nftables + +# see https://wiki.debian.org/systemd#Orphaned_processes +- name: enable loginctl user-linger + command: "loginctl enable-linger {{ default_user|quote }}" # noqa 301 diff --git a/tasks/network.yml b/tasks/network.yml new file mode 100644 index 0000000..f9ff775 --- /dev/null +++ b/tasks/network.yml @@ -0,0 +1,27 @@ +- name: check old network configuration + stat: path=/etc/network/interfaces + register: old_config + +- name: move old network configuration + command: mv /etc/network/interfaces /etc/network/interfaces.save + when: old_config.stat.exists + +- name: copy network configuration + template: + src: "network.j2" + dest: "/etc/systemd/network/50-default.network" + owner: root + group: root + mode: "0644" + notify: restart systemd-networkd + +- name: copy dns configuration + file: + src: "/run/systemd/resolve/resolv.conf" + dest: "/etc/resolv.conf" + owner: root + group: root + state: link + force: yes + mode: "0644" + notify: restart systemd-resolved diff --git a/tasks/nginx.yml b/tasks/nginx.yml new file mode 100644 index 0000000..965ef2a --- /dev/null +++ b/tasks/nginx.yml @@ -0,0 +1,18 @@ +- name: install nginx + apt: + name: nginx + state: present + +- name: copy nginx config + template: + src: "nginx.conf.j2" + dest: "/etc/nginx/nginx.conf" + owner: root + group: root + mode: "0644" + +- name: remove default site + file: + path: "/etc/nginx/sites-enabled/default" + state: absent + notify: restart nginx diff --git a/tasks/poetry.yml b/tasks/poetry.yml new file mode 100644 index 0000000..8649337 --- /dev/null +++ b/tasks/poetry.yml @@ -0,0 +1,73 @@ +- name: retrieve user $HOME # noqa 301 + shell: "echo $HOME" + become_user: "{{ poetry_user }}" + register: home_stats + +- name: retrieve user $PATH # noqa 301 + shell: "echo $PATH" + become_user: "{{ poetry_user }}" + register: path_stats + +- name: set poetry user variables + set_fact: + poetry_user_home: "{{ home_stats.stdout }}" + poetry_user_path: "{{ path_stats.stdout }}" + +- name: create user folder for binaries + become_user: "{{ poetry_user }}" + file: + state: directory + mode: "0755" + path: "{{ poetry_user_home }}/.local/bin" + +- name: set default python binary # noqa 208 + become: true + file: + state: link + src: "/usr/bin/python3" + dest: "/usr/bin/python" + when: ansible_distribution == "Ubuntu" + +- name: setup poetry for Ubuntu/Debian derived distro's + block: + - name: check poetry existence + become_user: "{{ poetry_user }}" + stat: + path: "{{ poetry_dir }}" + register: poetry_stats + + - name: download poetry installer + become_user: "{{ poetry_user }}" + get_url: + url: "{{ poetry_url }}" + dest: /tmp/ + mode: "0750" + when: poetry_stats.stat.isdir is not defined + + - name: install poetry + become_user: "{{ poetry_user }}" + command: "python /tmp/get-poetry.py --yes" # noqa 305 + environment: + POETRY_HOME: "{{ poetry_dir }}" + when: poetry_stats.stat.isdir is not defined + + - name: add poetry to user binaries # noqa 208 + become_user: "{{ poetry_user }}" + file: + state: link + src: "{{ poetry_dir }}/bin/poetry" + dest: "{{ poetry_user_home }}/.local/bin/poetry" + when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" + +- name: setup poetry for Archlinux + become: true + pacman: + name: poetry + state: present + when: ansible_facts['os_family'] == "Archlinux" + +- name: update poetry config + become_user: "{{ poetry_user }}" + command: "poetry config virtualenvs.in-project true" # noqa 301 + environment: + PATH: "{{ poetry_user_home }}/.local/bin:{{ poetry_user_path }}" diff --git a/tasks/ssl.yml b/tasks/ssl.yml new file mode 100644 index 0000000..a1cb905 --- /dev/null +++ b/tasks/ssl.yml @@ -0,0 +1,39 @@ +- name: install SSL packages + apt: + name: + - python3-openssl + - python3-crypto + - python3-cryptography + - python-openssl + - python-crypto + - python-cryptography + state: present + +- name: create ssl directory + file: + path: "/etc/ssl/{{ app_name }}" + state: directory + owner: "{{ app_user }}" + group: "{{ app_user }}" + mode: 0750 + +- name: generate an OpenSSL private key with the default values (4096 bits, RSA) + become_user: "{{ app_user }}" + openssl_privatekey: + path: "/etc/ssl/{{ app_name }}/local.pem" + +- name: generate an OpenSSL certificate signing request + become_user: "{{ app_user }}" + openssl_csr: + path: "/etc/ssl/{{ app_name }}/local.csr" + privatekey_path: "/etc/ssl/{{ app_name }}/local.pem" + common_name: fudiggity.nl + +- name: generate a self signed OpenSSL certificate + become_user: "{{ app_user }}" + openssl_certificate: + force: yes + path: "/etc/ssl/{{ app_name }}/{{ app_name }}.crt" + privatekey_path: "/etc/ssl/{{ app_name }}/local.pem" + csr_path: "/etc/ssl/{{ app_name }}/local.csr" + provider: selfsigned diff --git a/tasks/sudoers.yml b/tasks/sudoers.yml new file mode 100644 index 0000000..c3c3bec --- /dev/null +++ b/tasks/sudoers.yml @@ -0,0 +1,7 @@ +- name: copy extra sudoers file + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: "0644" diff --git a/templates/hostname.j2 b/templates/hostname.j2 new file mode 100644 index 0000000..5154983 --- /dev/null +++ b/templates/hostname.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +{{ hostname }} diff --git a/templates/hosts.j2 b/templates/hosts.j2 new file mode 100644 index 0000000..7f5beb2 --- /dev/null +++ b/templates/hosts.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +127.0.0.1 localhost +127.0.1.1 {{ hostname }} + +# The following lines are desirable for IPv6 capable hosts +# ::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/templates/network.j2 b/templates/network.j2 new file mode 100644 index 0000000..526a790 --- /dev/null +++ b/templates/network.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +[Match] +Name={{ host_interface }} + +[Network] +Address={{ host_ip }}/{{ host_subnet }} +Gateway={{ host_gateway }} +DNS={{ host_dns }} diff --git a/templates/nftables.j2 b/templates/nftables.j2 new file mode 100644 index 0000000..c755ea9 --- /dev/null +++ b/templates/nftables.j2 @@ -0,0 +1,19 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +# vim:set ts=2 sw=2 et: + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + + # accept any localhost traffic + iif lo accept + + # accept traffic originated from us + ct state { established, related } accept + + tcp dport 22 accept + } +} diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 new file mode 100644 index 0000000..ecac8dd --- /dev/null +++ b/templates/nginx.conf.j2 @@ -0,0 +1,51 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; +} + +http { + ## + # Basic Settings + ## + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers HIGH:!aNULL:!MD5; + + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 1d; + + ## + # Logging Settings + ## + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + gzip off; + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 new file mode 100644 index 0000000..cd03e07 --- /dev/null +++ b/templates/sshd_config.j2 @@ -0,0 +1,123 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +MaxAuthTries 6 +#MaxSessions 10 + +PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/templates/sudoers.j2 b/templates/sudoers.j2 new file mode 100644 index 0000000..ac3bc08 --- /dev/null +++ b/templates/sudoers.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +ansible ALL = ({{ default_user }}:{{ default_user }}) NOPASSWD: ALL diff --git a/vars/archlinux.yml b/vars/archlinux.yml new file mode 100644 index 0000000..acad597 --- /dev/null +++ b/vars/archlinux.yml @@ -0,0 +1,2 @@ +known_hosts_packages: + - openssh diff --git a/vars/debian-buster.yml b/vars/debian-buster.yml new file mode 100644 index 0000000..64df6d3 --- /dev/null +++ b/vars/debian-buster.yml @@ -0,0 +1 @@ +known_hosts_packages: [] diff --git a/vars/ubuntu-focal.yml b/vars/ubuntu-focal.yml new file mode 100644 index 0000000..64df6d3 --- /dev/null +++ b/vars/ubuntu-focal.yml @@ -0,0 +1 @@ +known_hosts_packages: []