2018-12-20 22:48:31 +00:00
|
|
|
---
|
|
|
|
|
2019-12-16 21:03:57 +00:00
|
|
|
- block:
|
2019-12-17 09:37:39 +00:00
|
|
|
- name: Configure hostname
|
|
|
|
hostname:
|
|
|
|
name: "{{ inventory_hostname_short }}"
|
|
|
|
|
2021-11-18 17:45:04 +00:00
|
|
|
- name: Configure FQDN
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/hosts
|
|
|
|
regexp: '^127\.0\.0\.1'
|
|
|
|
line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0644
|
|
|
|
|
|
|
|
- name: Choose a DKIM selector
|
|
|
|
set_fact:
|
|
|
|
dkim_selector: "{{ inventory_hostname | replace('.', '-') }}"
|
|
|
|
|
|
|
|
- name: Create /etc/exim4/dkim/ directory
|
|
|
|
file:
|
|
|
|
path: /etc/exim4/dkim/
|
|
|
|
state: directory
|
|
|
|
mode: 0750
|
|
|
|
owner: Debian-exim
|
|
|
|
group: Debian-exim
|
|
|
|
|
|
|
|
- name: Generate a private key for DKIM
|
|
|
|
command: openssl genrsa -out /etc/exim4/dkim/{{ dkim_selector }}-private.key 1024
|
|
|
|
args:
|
|
|
|
creates: /etc/exim4/dkim/{{ dkim_selector }}-private.key
|
|
|
|
|
|
|
|
- name: Allow exim to read the DKIM private key
|
|
|
|
file:
|
|
|
|
path: /etc/exim4/dkim/{{ dkim_selector }}-private.key
|
|
|
|
owner: root
|
|
|
|
group: Debian-exim
|
|
|
|
mode: 0640
|
|
|
|
|
|
|
|
- name: Derive the public key for DKIM
|
|
|
|
command: openssl rsa -in {{ dkim_selector }}-private.key -out {{ dkim_selector }}.pem -pubout -outform PEM
|
|
|
|
args:
|
|
|
|
chdir: /etc/exim4/dkim/
|
|
|
|
creates: /etc/exim4/dkim/{{ dkim_selector }}.pem
|
|
|
|
|
|
|
|
- name: Configure exim to use our DKIM key
|
|
|
|
copy:
|
|
|
|
dest: /etc/exim4/conf.d/main/00_local_macros
|
|
|
|
content: |
|
|
|
|
DKIM_CANON = relaxed
|
|
|
|
DKIM_SELECTOR = {{ dkim_selector }}
|
|
|
|
DKIM_DOMAIN = {{ inventory_hostname }}
|
|
|
|
DKIM_PRIVATE_KEY = /etc/exim4/dkim/{{ dkim_selector }}-private.key
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0644
|
|
|
|
notify: reload exim4
|
|
|
|
register: config_exim
|
|
|
|
|
|
|
|
- name: Reconfigure exim4
|
|
|
|
command: update-exim4.conf
|
|
|
|
when: config_exim is changed
|
|
|
|
|
2019-12-17 22:35:25 +00:00
|
|
|
- package: name=nftables state=present
|
|
|
|
|
|
|
|
- copy:
|
|
|
|
content: |
|
|
|
|
#!/usr/sbin/nft -f
|
|
|
|
|
|
|
|
flush ruleset
|
|
|
|
|
|
|
|
table inet filter {
|
|
|
|
chain input {
|
|
|
|
type filter hook input priority 0;
|
|
|
|
iif lo accept
|
|
|
|
ct state established,related accept
|
2020-11-30 08:16:12 +00:00
|
|
|
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
|
2021-12-01 22:20:10 +00:00
|
|
|
{{ nft_extra }}
|
2019-12-17 22:35:25 +00:00
|
|
|
counter drop
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
dest: /etc/nftables.conf
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0755
|
|
|
|
notify: reload nftables
|
|
|
|
|
2021-12-01 22:20:10 +00:00
|
|
|
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
|
|
|
|
2021-04-04 17:26:30 +00:00
|
|
|
- name: Update via apt (mandatory on first run)
|
|
|
|
apt:
|
|
|
|
update_cache: yes
|
|
|
|
cache_valid_time: 86400
|
2019-12-16 21:03:57 +00:00
|
|
|
|
|
|
|
- name: Install some usefull packages
|
|
|
|
apt:
|
|
|
|
state: present
|
|
|
|
name:
|
|
|
|
- aptitude
|
2021-11-17 04:24:52 +00:00
|
|
|
- emacs-nox
|
2019-12-16 21:03:57 +00:00
|
|
|
- fail2ban
|
2021-11-17 04:24:52 +00:00
|
|
|
- git
|
2019-12-16 21:03:57 +00:00
|
|
|
- htop
|
|
|
|
- ncdu
|
2021-11-17 04:24:52 +00:00
|
|
|
- ntp
|
2019-12-16 21:03:57 +00:00
|
|
|
- python3
|
|
|
|
- python3-dev
|
2021-11-17 04:24:52 +00:00
|
|
|
- python3-pip
|
2019-12-16 21:03:57 +00:00
|
|
|
- python3-setuptools
|
2021-11-17 04:24:52 +00:00
|
|
|
- python3-venv
|
2019-12-16 21:03:57 +00:00
|
|
|
- python3-wheel
|
2021-11-17 04:24:52 +00:00
|
|
|
- rsync
|
2019-12-16 21:03:57 +00:00
|
|
|
- sudo
|
2021-11-17 04:24:52 +00:00
|
|
|
- tcpdump
|
|
|
|
- vim-nox
|
2019-12-16 21:03:57 +00:00
|
|
|
|
|
|
|
- name: Set some authorized keys
|
2021-04-26 07:47:17 +00:00
|
|
|
copy:
|
|
|
|
content: "{{ authorized_keys }}"
|
|
|
|
dest: /root/.ssh/authorized_keys
|
|
|
|
mode: 0600
|
|
|
|
owner: root
|
|
|
|
group: root
|
2019-12-16 21:03:57 +00:00
|
|
|
|
|
|
|
- name: Ensure mlocate and locate are not installed
|
|
|
|
apt:
|
|
|
|
name: ["mlocate", "locate"]
|
|
|
|
state: absent
|
|
|
|
|
2021-12-01 22:20:10 +00:00
|
|
|
# From https://infosec.mozilla.org/guidelines/openssh
|
|
|
|
- name: SSHd hardening
|
|
|
|
blockinfile:
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
|
|
|
|
path: /etc/ssh/sshd_config
|
|
|
|
state: present
|
|
|
|
create: true
|
|
|
|
block: |
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
|
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
|
|
|
|
AuthenticationMethods publickey
|
|
|
|
LogLevel VERBOSE
|
|
|
|
notify: restart sshd
|
|
|
|
tags: ssh
|
|
|
|
|
2018-12-20 22:48:31 +00:00
|
|
|
tags: common
|