Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Codechange: Reorganise playbook into an actually defined role that we…
… call before certbot/nginx
- Loading branch information
Showing
6 changed files
with
171 additions
and
161 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
- name: Disable cloud-init networking | ||
copy: | ||
dest: /etc/cloud/cloud.cfg.d/98-disable-network-config.cfg | ||
content: "network: {config: disabled}\n" | ||
notify: | ||
restart networking | ||
|
||
- name: Configure IPv6 | ||
template: | ||
src: templates/60-ipv6.j2 | ||
dest: /etc/network/interfaces.d/60-ipv6 | ||
notify: | ||
restart networking | ||
when: ipv6_addr is defined | ||
|
||
- name: Flush handlers to restart networking | ||
meta: flush_handlers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
- name: restart ssh | ||
service: | ||
name: ssh | ||
state: restarted | ||
|
||
- name: restart sshguard | ||
service: | ||
name: sshguard | ||
state: restarted | ||
|
||
- name: restart journal | ||
service: | ||
name: systemd-journald | ||
state: restarted | ||
|
||
- name: restart firewalld | ||
service: | ||
name: firewalld | ||
state: restarted | ||
|
||
- name: restart networking | ||
service: | ||
name: networking | ||
state: restarted |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
- name: Install firewalld & python bindings | ||
apt: | ||
name: | ||
- firewalld # Required for ansible.posix.firewalld | ||
- python3-firewall | ||
- iptables # Newer version fixes a bug in buster iptables | ||
- sshguard # Helpful at blocking ssh attacks | ||
default_release: "{{ ansible_distribution_release }}-backports" | ||
state: present | ||
|
||
- name: Configure firewalld | ||
lineinfile: | ||
path: /etc/firewalld/firewalld.conf | ||
regexp: "^FirewallBackend=" | ||
line: "FirewallBackend=nftables" | ||
notify: | ||
- restart firewalld | ||
register: firewalld_backend | ||
|
||
- name: Reboot to get new firewall configuration (notably iptables) | ||
reboot: | ||
search_paths: | ||
- "/lib/molly-guard" | ||
- "/usr/sbin" # molly-guard might not have been installed yet | ||
when: firewalld_backend.changed | ||
|
||
- name: Configure firewall rules | ||
ansible.posix.firewalld: | ||
permanent: true | ||
state: enabled | ||
port: "{{ item }}" | ||
with_items: | ||
- "22/tcp" | ||
- "80/tcp" | ||
- "443/tcp" | ||
- "67/udp" # dhcp | ||
- "68/udp" # dhcp | ||
- "123/udp" # ntp | ||
notify: | ||
- restart firewalld | ||
|
||
- name: Create sshguard blacklist db directory | ||
file: | ||
path: /var/db/sshguard | ||
state: directory | ||
|
||
- name: Configure sshguard | ||
lineinfile: | ||
path: /etc/sshguard/sshguard.conf | ||
regexp: "{{ item.regexp }}" | ||
line: "{{ item.line }}" | ||
with_items: | ||
# Use firewalld backend | ||
- regexp: "^BACKEND=" | ||
line: 'BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-firewalld"' | ||
# Workaround https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928525 | ||
- regexp: "^LOGREADER=" | ||
line: 'LOGREADER="LANG=C /bin/journalctl -afb -p info -t sshd -n1 -o cat"' | ||
# Set persistent blacklist | ||
- regexp: "^BLACKLIST_FILE=" | ||
line: 'BLACKLIST_FILE=100:/var/db/sshguard/blacklist.db' | ||
notify: | ||
- restart sshguard | ||
|
||
- name: Flush handlers to reload firewall with new config | ||
meta: flush_handlers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Needed to pull in python3-firewall (buster only) | ||
- name: Add backports repo | ||
apt_repository: | ||
repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main | ||
state: present | ||
filename: backports | ||
|
||
- name: Update apt | ||
apt: | ||
update_cache: true | ||
cache_valid_time: 86400 # a day is plenty | ||
changed_when: false | ||
|
||
- name: Upgrade & cleanup apt | ||
apt: | ||
upgrade: safe | ||
autoremove: true | ||
autoclean: true | ||
|
||
- name: Install apt https support & cron | ||
apt: | ||
name: | ||
- apt-transport-https | ||
- cron # required for certbot | ||
state: present | ||
|
||
- name: Firewall setup | ||
include: firewall.yml | ||
|
||
- name: Enable persistent systemd journal | ||
lineinfile: | ||
path: /etc/systemd/journald.conf | ||
regexp: "^Storage=" | ||
line: "Storage=persistent" | ||
notify: | ||
restart journal | ||
|
||
- name: Add users' ssh keys to the current account | ||
authorized_key: | ||
user: "{{ ansible_user }}" | ||
key: "{{ item }}" | ||
with_items: "{{ keys }}" | ||
|
||
- name: Copy sshd config | ||
copy: | ||
src: files/sshd_config | ||
dest: /etc/ssh/sshd_config | ||
notify: | ||
restart ssh | ||
|
||
- name: Install some helpful utilities | ||
apt: | ||
name: | ||
- bash-completion | ||
- logrotate | ||
- molly-guard | ||
- rsync | ||
- unattended-upgrades | ||
- vim | ||
state: present |