--- - hosts: server vars_files: - secrets.yml tasks: # ------------------------------------------------------------------------- # Update and upgrade. # ------------------------------------------------------------------------- - name: Update and upgrade apt packages apt: upgrade: yes update_cache: yes cache_valid_time: 86400 #One day force_apt_get: yes register: apt_update - name: Reboot the machine reboot: when: apt_update is changed # ------------------------------------------------------------------------- # Ensure unattended upgrades is installed. # ------------------------------------------------------------------------- - name: Install unattended-upgrades apt: name: unattended-upgrades - name: Configure unattended-upgrades template: src: ./etc/apt/apt.conf.d/50unattended-upgrades.j2 dest: /etc/apt/apt.conf.d/50unattended-upgrades mode: 0644 - name: Enable unattended-upgrades template: src: ./etc/apt/apt.conf.d/20auto-upgrades.j2 dest: /etc/apt/apt.conf.d/20auto-upgrades mode: 0644 # ------------------------------------------------------------------------- # Loki uses SSDs so use fstrim on a timer. # ------------------------------------------------------------------------- - name: Copy fstrim service file template: src: ./etc/systemd/system/fstrim.service.j2 dest: /etc/systemd/system/fstrim.service mode: 0644 - name: Copy fstrim timer file template: src: ./etc/systemd/system/fstrim.timer.j2 dest: /etc/systemd/system/fstrim.timer mode: 0644 - name: Enable and start fstrim.timer service: name: fstrim.timer state: started enabled: yes # ------------------------------------------------------------------------- # Set up the USB flash drive. # ------------------------------------------------------------------------- - name: Create USB mount directory file: path: /media/usb0 state: directory - name: Ensure USB drive is auto-mounted lineinfile: line: "LABEL=Muninn /media/usb0 ext4 defaults 0 0" dest: "/etc/fstab" # ------------------------------------------------------------------------- # Apparmor. # ------------------------------------------------------------------------- - name: Install apparmor, utilities, and profiles apt: name: - apparmor - apparmor-utils - apparmor-profiles - apparmor-profiles-extra register: apparmor - name: Ensure /etc/default/grub.d exists file: path: /etc/default/grub.d state: directory mode: 0755 - name: Enable apparmor template: src: ./etc/default/grub.d/apparmor.cfg.j2 dest: /etc/default/grub.d/apparmor.cfg mode: 0644 register: apparmor_cfg - block: - name: Update grub command: update-grub - name: Reboot the machine reboot: when: apparmor is changed or apparmor_cfg is changed # ------------------------------------------------------------------------- # Firewall. # ------------------------------------------------------------------------- - name: Install nftables apt: name: nftables register: nftables - name: Configure nftables template: src: ./etc/nftables.conf.j2 dest: /etc/nftables.conf mode: 0644 register: nftables_cfg - name: Enable and restart nftables service: name: nftables state: restarted enabled: yes when: nftables is changed or nftables_cfg is changed # ------------------------------------------------------------------------- # Postfix. # ------------------------------------------------------------------------- - name: Install postfix apt: name: - postfix - ca-certificates - libsasl2-modules register: postfix - name: Configure credentials template: src: ./etc/postfix/sasl_passwd.j2 dest: /etc/postfix/sasl_passwd mode: 0600 register: postfix_cred - name: Configure mailname template: src: ./etc/mailname.j2 dest: /etc/mailname mode: 0644 register: postfix_mailname - name: Configure postfix template: src: ./etc/postfix/main.cf.j2 dest: /etc/postfix/main.cf mode: 0644 register: postfix_cfg - name: Postmap command: postmap /etc/postfix/sasl_passwd when: postfix_cred is changed or postfix_mailname is changed - name: Change DB permissions file: path: /etc/postfix/sasl_passwd.db mode: 0600 - name: Set root alias template: src: ./etc/aliases.j2 dest: /etc/aliases mode: 0644 register: postfix_aliases - name: Update aliases command: newaliases when: postfix_aliases is changed - name: Enable and restart postfix service: name: postfix state: restarted enabled: yes when: postfix is changed or postfix_cred is changed or postfix_mailname is changed or postfix_cfg is changed or postfix_aliases is changed # ------------------------------------------------------------------------- # Fail2Ban. # ------------------------------------------------------------------------- - name: Install fail2ban apt: name: fail2ban register: fail2ban - name: Configure fail2ban template: src: ./etc/fail2ban/jail.d/jail.local.j2 dest: /etc/fail2ban/jail.d/jail.local mode: 0644 register: fail2ban_cfg - name: Enable and restart fail2ban service: name: fail2ban state: restarted enabled: yes when: fail2ban is changed or fail2ban_cfg is changed # ------------------------------------------------------------------------- # Logcheck and Logrotate. # ------------------------------------------------------------------------- - name: Install logcheck and logrotate apt: name: - logcheck - logrotate - name: Configure logcheck template: src: ./etc/logcheck/ignore.d.server/local-server.j2 dest: /etc/logcheck/ignore.d.server/local-server mode: 0644 # ------------------------------------------------------------------------- # Process accounting. # ------------------------------------------------------------------------- - name: Install acct apt: name: acct register: acct - name: Switch on process accounting command: accton on when: acct is changed # ------------------------------------------------------------------------- # System performance monitor. # ------------------------------------------------------------------------- - name: Install sysstat apt: name: sysstat register: sysstat - name: Configure sysstat template: src: ./etc/default/sysstat.j2 dest: /etc/default/sysstat mode: 0644 register: sysstat_cfg - block: - name: Start sysstat command: /etc/init.d/sysstat start - name: Set sysstat defaults command: update-rc.d sysstat defaults when: sysstat is changed or sysstat_cfg is changed # ------------------------------------------------------------------------- # Auditing. # ------------------------------------------------------------------------- - name: Install auditd apt: name: auditd register: auditd - name: Configure auditd template: src: ./etc/audit/rules.d/custom.rules.j2 dest: /etc/audit/rules.d/custom.rules mode: 0644 register: auditd_cfg - name: Enable and restart auditd service: name: auditd state: restarted enabled: yes when: auditd is changed or auditd_cfg is changed # ------------------------------------------------------------------------- # Install sudo and user to group. # ------------------------------------------------------------------------- - name: Install sudo apt: name: sudo - name: Adding existing user to group sudo user: name: "{{ ansible_ssh_user }}" groups: sudo append: yes # ------------------------------------------------------------------------- # Set MotD. # ------------------------------------------------------------------------- - name: Set MotD template: src: ./etc/motd.j2 dest: /etc/motd mode: 0644 # ------------------------------------------------------------------------- # Set root's .bashrc file. # ------------------------------------------------------------------------- - name: Set root .bashrc copy: src: ./root.bashrc dest: /root/.bashrc mode: 0644