146 lines
3.9 KiB
YAML
146 lines
3.9 KiB
YAML
---
|
|
|
|
- name: Configure hostname
|
|
hostname:
|
|
name: "{{ inventory_hostname_short }}"
|
|
|
|
- name: Configure localhots
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
regexp: '^127\.0\.0\.1'
|
|
line: "127.0.0.1 localhost"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Configure FQDN
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
regexp: '^127\.0\.1\.1'
|
|
line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Gather facts from all hosts
|
|
setup:
|
|
delegate_to: "{{ item }}"
|
|
delegate_facts: true
|
|
loop: "{{ groups['all'] }}"
|
|
|
|
- package: name=nftables state=present
|
|
|
|
- name: Copy nftables rules
|
|
copy:
|
|
content: |
|
|
#!/usr/sbin/nft -f
|
|
|
|
table inet filter
|
|
flush table inet filter
|
|
|
|
define V4_NEIGHBORS = {
|
|
{% for host in groups["all"] %}
|
|
{% if hostvars[host]['ansible_facts']['default_ipv4'] %}
|
|
{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
}
|
|
|
|
define V6_NEIGHBORS = {
|
|
{% for host in groups["all"] %}
|
|
{% if hostvars[host]['ansible_facts']['default_ipv6'] %}
|
|
{{ hostvars[host]['ansible_facts']['default_ipv6']['address'] }}, # {{ hostvars[host]['ansible_facts']['nodename'] }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
}
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
iif lo accept
|
|
ct state established,related accept
|
|
icmp type echo-request counter accept
|
|
icmpv6 type echo-request counter accept
|
|
ip saddr $V4_NEIGHBORS accept
|
|
ip6 saddr $V6_NEIGHBORS accept
|
|
|
|
# accept neighbour discovery otherwise connectivity breaks:
|
|
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
|
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
|
|
{{ nft_extra }}
|
|
counter drop
|
|
}
|
|
}
|
|
|
|
dest: /etc/nftables.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
notify: reload nftables
|
|
|
|
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
|
|
|
- name: Update via apt (mandatory on first run)
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: 86400
|
|
|
|
- name: Install some usefull packages
|
|
apt:
|
|
state: present
|
|
name:
|
|
- aptitude
|
|
- emacs-nox
|
|
- fail2ban
|
|
- git
|
|
- htop
|
|
- man
|
|
- ncdu
|
|
- needrestart
|
|
- ntp
|
|
- python3
|
|
- python3-dev
|
|
- python3-pip
|
|
- python3-setuptools
|
|
- python3-venv
|
|
- python3-wheel
|
|
- rsync
|
|
- sudo
|
|
- tcpdump
|
|
- vim-nox
|
|
|
|
- name: Set authorized SSH keys for root user
|
|
blockinfile:
|
|
content: "{{ root_authorized_keys }}"
|
|
dest: /root/.ssh/authorized_keys
|
|
mode: 0600
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK (SSH keys for root user)"
|
|
|
|
- name: Ensure mlocate and locate are not installed
|
|
apt:
|
|
name: ["mlocate", "locate"]
|
|
state: absent
|
|
|
|
# From https://infosec.mozilla.org/guidelines/openssh
|
|
- name: SSHd hardening
|
|
blockinfile:
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
create: true
|
|
block: |
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
AuthenticationMethods publickey
|
|
LogLevel VERBOSE
|
|
notify: restart sshd
|
|
tags: ssh
|