132 lines
3.2 KiB
YAML
132 lines
3.2 KiB
YAML
---
|
|
|
|
- block:
|
|
- name: Configure hostname
|
|
hostname:
|
|
name: "{{ inventory_hostname_short }}"
|
|
|
|
- name: Configure FQDN
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
regexp: '^127\.0\.0\.1'
|
|
line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Choose a DKIM selector
|
|
set_fact:
|
|
dkim_selector: "{{ inventory_hostname | replace('.', '-') }}"
|
|
|
|
- name: Create /etc/exim4/dkim/ directory
|
|
file:
|
|
path: /etc/exim4/dkim/
|
|
state: directory
|
|
mode: 0750
|
|
owner: Debian-exim
|
|
group: Debian-exim
|
|
|
|
- name: Generate a private key for DKIM
|
|
command: openssl genrsa -out /etc/exim4/dkim/{{ dkim_selector }}-private.key 1024
|
|
args:
|
|
creates: /etc/exim4/dkim/{{ dkim_selector }}-private.key
|
|
|
|
- name: Allow exim to read the DKIM private key
|
|
file:
|
|
path: /etc/exim4/dkim/{{ dkim_selector }}-private.key
|
|
owner: root
|
|
group: Debian-exim
|
|
mode: 0640
|
|
|
|
- name: Derive the public key for DKIM
|
|
command: openssl rsa -in {{ dkim_selector }}-private.key -out {{ dkim_selector }}.pem -pubout -outform PEM
|
|
args:
|
|
chdir: /etc/exim4/dkim/
|
|
creates: /etc/exim4/dkim/{{ dkim_selector }}.pem
|
|
|
|
- name: Configure exim to use our DKIM key
|
|
copy:
|
|
dest: /etc/exim4/conf.d/main/00_local_macros
|
|
content: |
|
|
DKIM_CANON = relaxed
|
|
DKIM_SELECTOR = {{ dkim_selector }}
|
|
DKIM_DOMAIN = {{ inventory_hostname }}
|
|
DKIM_PRIVATE_KEY = /etc/exim4/dkim/{{ dkim_selector }}-private.key
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
notify: reload exim4
|
|
register: config_exim
|
|
|
|
- name: Reconfigure exim4
|
|
command: update-exim4.conf
|
|
when: config_exim is changed
|
|
|
|
- package: name=nftables state=present
|
|
|
|
- service: name=nftables enabled=yes state=started daemon_reload=yes
|
|
|
|
- copy:
|
|
content: |
|
|
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
iif lo accept
|
|
ct state established,related accept
|
|
tcp dport { ssh, http, https, smtp, imap2, imaps} ct state new accept
|
|
counter drop
|
|
}
|
|
}
|
|
|
|
dest: /etc/nftables.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
notify: reload nftables
|
|
|
|
- name: Update via apt (mandatory on first run)
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: 86400
|
|
|
|
- name: Install some usefull packages
|
|
apt:
|
|
state: present
|
|
name:
|
|
- aptitude
|
|
- emacs-nox
|
|
- fail2ban
|
|
- git
|
|
- htop
|
|
- ncdu
|
|
- ntp
|
|
- python3
|
|
- python3-dev
|
|
- python3-pip
|
|
- python3-setuptools
|
|
- python3-venv
|
|
- python3-wheel
|
|
- rsync
|
|
- sudo
|
|
- tcpdump
|
|
- vim-nox
|
|
|
|
- name: Set some authorized keys
|
|
copy:
|
|
content: "{{ authorized_keys }}"
|
|
dest: /root/.ssh/authorized_keys
|
|
mode: 0600
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Ensure mlocate and locate are not installed
|
|
apt:
|
|
name: ["mlocate", "locate"]
|
|
state: absent
|
|
|
|
tags: common
|