--- - block: - name: Configure hostname hostname: name: "{{ inventory_hostname_short }}" - name: Configure FQDN lineinfile: path: /etc/hosts regexp: '^127\.0\.0\.1' line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost" owner: root group: root mode: 0644 - name: Choose a DKIM selector set_fact: dkim_selector: "{{ inventory_hostname | replace('.', '-') }}" - name: Create /etc/exim4/dkim/ directory file: path: /etc/exim4/dkim/ state: directory mode: 0750 owner: Debian-exim group: Debian-exim - name: Generate a private key for DKIM command: openssl genrsa -out /etc/exim4/dkim/{{ dkim_selector }}-private.key 1024 args: creates: /etc/exim4/dkim/{{ dkim_selector }}-private.key - name: Allow exim to read the DKIM private key file: path: /etc/exim4/dkim/{{ dkim_selector }}-private.key owner: root group: Debian-exim mode: 0640 - name: Derive the public key for DKIM command: openssl rsa -in {{ dkim_selector }}-private.key -out {{ dkim_selector }}.pem -pubout -outform PEM args: chdir: /etc/exim4/dkim/ creates: /etc/exim4/dkim/{{ dkim_selector }}.pem - name: Configure exim to use our DKIM key copy: dest: /etc/exim4/conf.d/main/00_local_macros content: | DKIM_CANON = relaxed DKIM_SELECTOR = {{ dkim_selector }} DKIM_DOMAIN = {{ inventory_hostname }} DKIM_PRIVATE_KEY = /etc/exim4/dkim/{{ dkim_selector }}-private.key owner: root group: root mode: 0644 notify: reload exim4 register: config_exim - name: Reconfigure exim4 command: update-exim4.conf when: config_exim is changed - package: name=nftables state=present - copy: content: | #!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; iif lo accept ct state established,related accept tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept {{ nft_extra }} counter drop } } dest: /etc/nftables.conf owner: root group: root mode: 0755 notify: reload nftables - service: name=nftables enabled=yes state=started daemon_reload=yes - name: Update via apt (mandatory on first run) apt: update_cache: yes cache_valid_time: 86400 - name: Install some usefull packages apt: state: present name: - aptitude - emacs-nox - fail2ban - git - htop - ncdu - ntp - python3 - python3-dev - python3-pip - python3-setuptools - python3-venv - python3-wheel - rsync - sudo - tcpdump - vim-nox - name: Set some authorized keys copy: content: "{{ authorized_keys }}" dest: /root/.ssh/authorized_keys mode: 0600 owner: root group: root - name: Ensure mlocate and locate are not installed apt: name: ["mlocate", "locate"] state: absent # From https://infosec.mozilla.org/guidelines/openssh - name: SSHd hardening blockinfile: marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)" path: /etc/ssh/sshd_config state: present create: true block: | KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key AuthenticationMethods publickey LogLevel VERBOSE notify: restart sshd tags: ssh tags: common