the-nine-worlds/loki
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2023-02-05. You can view files and clone it, but cannot push or open issues or pull requests.
1c8bc92000
loki/ansible/machine.yml

349 lines
9.2 KiB
YAML
Raw Normal View History

Add ansible playbooks
2018-12-16 01:25:02 +01:00
---
- hosts: server
vars_files:
- secrets.yml
tasks:
# -------------------------------------------------------------------------
# Update and upgrade.
# -------------------------------------------------------------------------
- name: Update and upgrade apt packages
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
force_apt_get: yes
register: apt_update
Update to buster and mount exfat USB
2019-08-02 22:55:15 +02:00
- name: Reboot the machine
reboot:
Add ansible playbooks
2018-12-16 01:25:02 +01:00
when: apt_update is changed
Remove rkhunter and chkrootkit in favour of unattended-upgrades
2019-11-29 09:11:54 +01:00
# -------------------------------------------------------------------------
# Ensure unattended upgrades is installed.
# -------------------------------------------------------------------------
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
- name: Configure unattended-upgrades
template:
src: ./etc/apt/apt.conf.d/50unattended-upgrades.j2
dest: /etc/apt/apt.conf.d/50unattended-upgrades
mode: 0644
- name: Enable unattended-upgrades
template:
src: ./etc/apt/apt.conf.d/20auto-upgrades.j2
dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: 0644
Add ansible playbooks
2018-12-16 01:25:02 +01:00
# -------------------------------------------------------------------------
Add fstrim timer to ansible play
2018-12-18 02:41:47 +01:00
# Loki uses SSDs so use fstrim on a timer.
# -------------------------------------------------------------------------
- name: Copy fstrim service file
Use template instead of copy for fstrim
2019-11-29 09:10:44 +01:00
template:
src: ./etc/systemd/system/fstrim.service.j2
Add fstrim timer to ansible play
2018-12-18 02:41:47 +01:00
dest: /etc/systemd/system/fstrim.service
mode: 0644
- name: Copy fstrim timer file
Use template instead of copy for fstrim
2019-11-29 09:10:44 +01:00
template:
src: ./etc/systemd/system/fstrim.timer.j2
Add fstrim timer to ansible play
2018-12-18 02:41:47 +01:00
dest: /etc/systemd/system/fstrim.timer
mode: 0644
- name: Enable and start fstrim.timer
service:
name: fstrim.timer
state: started
enabled: yes
Update to buster and mount exfat USB
2019-08-02 22:55:15 +02:00
# -------------------------------------------------------------------------
Reformatted external USB
2019-12-14 14:11:09 +01:00
# Set up the USB flash drive.
Update to buster and mount exfat USB
2019-08-02 22:55:15 +02:00
# -------------------------------------------------------------------------
- name: Create USB mount directory
file:
path: /media/usb0
state: directory
- name: Ensure USB drive is auto-mounted
lineinfile:
Reformatted external USB
2019-12-14 14:11:09 +01:00
line: "LABEL=Muninn /media/usb0 ext4 defaults 0 0"
Update to buster and mount exfat USB
2019-08-02 22:55:15 +02:00
dest: "/etc/fstab"
Add fstrim timer to ansible play
2018-12-18 02:41:47 +01:00
# -------------------------------------------------------------------------
Add ansible playbooks
2018-12-16 01:25:02 +01:00
# Apparmor.
# -------------------------------------------------------------------------
- name: Install apparmor, utilities, and profiles
apt:
Update to buster and mount exfat USB
2019-08-02 22:55:15 +02:00
name:
- apparmor
- apparmor-utils
- apparmor-profiles
- apparmor-profiles-extra
Add ansible playbooks
2018-12-16 01:25:02 +01:00
register: apparmor
- name: Ensure /etc/default/grub.d exists
file:
path: /etc/default/grub.d
state: directory
mode: 0755
- name: Enable apparmor
template:
src: ./etc/default/grub.d/apparmor.cfg.j2
dest: /etc/default/grub.d/apparmor.cfg
mode: 0644
register: apparmor_cfg
- block:
- name: Update grub
command: update-grub
Update to buster and mount exfat USB
2019-08-02 22:55:15 +02:00
- name: Reboot the machine
reboot:
Add ansible playbooks
2018-12-16 01:25:02 +01:00
when:
apparmor is changed or
apparmor_cfg is changed
# -------------------------------------------------------------------------
# Firewall.
# -------------------------------------------------------------------------
- name: Install nftables
apt:
name: nftables
register: nftables
- name: Configure nftables
template:
src: ./etc/nftables.conf.j2
dest: /etc/nftables.conf
mode: 0644
register: nftables_cfg
- name: Enable and restart nftables
service:
name: nftables
state: restarted
enabled: yes
when:
nftables is changed or
nftables_cfg is changed
# -------------------------------------------------------------------------
# Postfix.
# -------------------------------------------------------------------------
- name: Install postfix
apt:
Update to buster and mount exfat USB
2019-08-02 22:55:15 +02:00
name:
- postfix
- ca-certificates
- libsasl2-modules
Add ansible playbooks
2018-12-16 01:25:02 +01:00
register: postfix
- name: Configure credentials
template:
src: ./etc/postfix/sasl_passwd.j2
dest: /etc/postfix/sasl_passwd
mode: 0600
register: postfix_cred
- name: Configure mailname
template:
src: ./etc/mailname.j2
dest: /etc/mailname
mode: 0644
register: postfix_mailname
- name: Configure postfix
template:
src: ./etc/postfix/main.cf.j2
dest: /etc/postfix/main.cf
mode: 0644
register: postfix_cfg
- name: Postmap
command: postmap /etc/postfix/sasl_passwd
when:
postfix_cred is changed or
postfix_mailname is changed
- name: Change DB permissions
file:
path: /etc/postfix/sasl_passwd.db
mode: 0600
- name: Set root alias
template:
src: ./etc/aliases.j2
dest: /etc/aliases
mode: 0644
register: postfix_aliases
- name: Update aliases
command: newaliases
when: postfix_aliases is changed
- name: Enable and restart postfix
service:
name: postfix
state: restarted
enabled: yes
when:
postfix is changed or
postfix_cred is changed or
postfix_mailname is changed or
postfix_cfg is changed or
postfix_aliases is changed
# -------------------------------------------------------------------------
# Fail2Ban.
# -------------------------------------------------------------------------
- name: Install fail2ban
apt:
name: fail2ban
register: fail2ban
- name: Configure fail2ban
template:
src: ./etc/fail2ban/jail.d/jail.local.j2
dest: /etc/fail2ban/jail.d/jail.local
mode: 0644
register: fail2ban_cfg
- name: Enable and restart fail2ban
service:
name: fail2ban
state: restarted
enabled: yes
when:
fail2ban is changed or
fail2ban_cfg is changed
# -------------------------------------------------------------------------
# Logcheck and Logrotate.
# -------------------------------------------------------------------------
- name: Install logcheck and logrotate
apt:
Update to buster and mount exfat USB
2019-08-02 22:55:15 +02:00
name:
- logcheck
- logrotate
Add ansible playbooks
2018-12-16 01:25:02 +01:00
- name: Configure logcheck
template:
src: ./etc/logcheck/ignore.d.server/local-server.j2
dest: /etc/logcheck/ignore.d.server/local-server
mode: 0644
Some more hardening
2018-12-16 12:05:29 +01:00
# -------------------------------------------------------------------------
# Process accounting.
# -------------------------------------------------------------------------
- name: Install acct
apt:
name: acct
register: acct
- name: Switch on process accounting
command: accton on
when: acct is changed
# -------------------------------------------------------------------------
# System performance monitor.
# -------------------------------------------------------------------------
- name: Install sysstat
apt:
name: sysstat
register: sysstat
- name: Configure sysstat
template:
src: ./etc/default/sysstat.j2
dest: /etc/default/sysstat
mode: 0644
register: sysstat_cfg
- block:
- name: Start sysstat
command: /etc/init.d/sysstat start
- name: Set sysstat defaults
command: update-rc.d sysstat defaults
when:
sysstat is changed or
sysstat_cfg is changed
# -------------------------------------------------------------------------
# Auditing.
# -------------------------------------------------------------------------
- name: Install auditd
apt:
name: auditd
register: auditd
- name: Configure auditd
template:
src: ./etc/audit/rules.d/custom.rules.j2
dest: /etc/audit/rules.d/custom.rules
mode: 0644
register: auditd_cfg
- name: Enable and restart auditd
service:
name: auditd
state: restarted
enabled: yes
when:
auditd is changed or
auditd_cfg is changed
Make sure user is in sudo group
2018-12-17 01:51:41 +01:00
# -------------------------------------------------------------------------
# Install sudo and user to group.
# -------------------------------------------------------------------------
- name: Install sudo
apt:
name: sudo
- name: Adding existing user to group sudo
user:
name: "{{ ansible_ssh_user }}"
groups: sudo
append: yes
Add MotD and fix some typos
2018-12-16 11:29:00 +01:00
# -------------------------------------------------------------------------
# Set MotD.
# -------------------------------------------------------------------------
- name: Set MotD
template:
src: ./etc/motd.j2
dest: /etc/motd
mode: 0644
Small fixes for things that came up in deployment
2018-12-16 21:37:50 +01:00
# -------------------------------------------------------------------------
# Set root's .bashrc file.
# -------------------------------------------------------------------------
- name: Set root .bashrc
copy:
src: ./root.bashrc
dest: /root/.bashrc
mode: 0644
Reference in New Issue Copy Permalink