mdk
/
infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Configure mailname so exim understands mails to root local, thus it needs to read aliases.

This commit is contained in:
Julien Palard 2024-03-19 22:15:09 +01:00
parent 3834a5e976
commit 64ca02c648
Signed by: mdk
GPG Key ID: 0EFC1AC1006886F8
7 changed files with 108 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
base.yml
View File

@ -1,103 +0,0 @@
---
- hosts: mdk
tasks:
- name: Configure hostname
hostname:
name: "{{ inventory_hostname_short }}"
- name: Configure FQDN
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.0\.1'
line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost"
owner: root
group: root
mode: 0644
- name: Install fail2ban
apt:
name: fail2ban
state: present
- name: Configure fail2ban for nginx
copy:
content: |
[nginx-botsearch]
enabled = true
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
dest: /etc/fail2ban/jail.d/nginx.conf
mode: 0x644
notify: reload fail2ban
- name: Configure fail2ban bantime
copy:
content: |
[DEFAULT]
bantime = 30d
dest: /etc/fail2ban/jail.d/mdk-bantime.conf
mode: 0x644
notify: reload fail2ban
- name: Setup nftables
include_role: name=nftables
tags: always
vars:
nftables_conf: |
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
iif lo accept
ct state established,related accept
tcp dport { ssh, http, https, 5201 } ct state new accept
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
counter drop
}
}
# From https://infosec.mozilla.org/guidelines/openssh
- name: SSHd hardening
blockinfile:
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
path: /etc/ssh/sshd_config
state: present
create: true
block: |
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
AuthenticationMethods publickey
LogLevel VERBOSE
notify: restart sshd
tags: ssh
- name: Ensure root crontab sends email to me
community.general.cronvar:
user: root
name: MAILTO
value: "{{ vault_smtp_username }}"
- name: Ensure my crontab sends email to me
community.general.cronvar:
user: root
name: MAILTO
value: "{{ vault_smtp_username }}"
handlers:
- name: reload fail2ban
service: name=fail2ban state=reloaded
- name: restart sshd
service: name=sshd state=restarted

4
laptop.yml
View File

@ -2,9 +2,13 @@
- hosts: laptops
tasks:
- name: Common setup
include_role: name=common
- name: Setup laptop
include_role: name=exim
vars:
alias_for_root: "julien@palard.fr"
smtp_host: "{{ vault_smtp_host }}"
smtp_port: "{{ vault_smtp_port }}"
smtp_username: "{{ vault_smtp_username }}"

3
mdk.fr.yml
View File

@ -4,6 +4,9 @@
vars:
letsencrypt_email: julien@palard.fr
tasks:
- name: Common setup
include_role: name=common
- name: Setup email
include_role: name=exim
vars:

7
roles/common/handlers/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: reload fail2ban
service: name=fail2ban state=reloaded
- name: restart sshd
service: name=sshd state=restarted

89
roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,89 @@
---
- name: Configure hostname
hostname:
name: "{{ inventory_hostname_short }}"
- name: Configure mailname
copy:
content: "{{ inventory_hostname }}\n"
dest: /etc/mailname
owner: root
group: root
mode: 0644
- name: Configure FQDN
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.0\.1'
line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost"
owner: root
group: root
mode: 0644
- name: Install fail2ban
apt:
name: fail2ban
state: present
- name: Configure fail2ban for nginx
copy:
content: |
[nginx-botsearch]
enabled = true
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
dest: /etc/fail2ban/jail.d/nginx.conf
mode: 0x644
notify: reload fail2ban
- name: Configure fail2ban bantime
copy:
content: |
[DEFAULT]
bantime = 30d
dest: /etc/fail2ban/jail.d/mdk-bantime.conf
mode: 0x644
notify: reload fail2ban
- name: Setup nftables
include_role: name=nftables
tags: always
vars:
nftables_conf: |
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
iif lo accept
ct state established,related accept
tcp dport { ssh, http, https, 5201 } ct state new accept
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
counter drop
}
}
# From https://infosec.mozilla.org/guidelines/openssh
- name: SSHd hardening
blockinfile:
marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
path: /etc/ssh/sshd_config
state: present
create: true
block: |
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
AuthenticationMethods publickey
LogLevel VERBOSE
notify: restart sshd
tags: ssh

5
roles/exim/tasks/main.yml
View File

@ -77,3 +77,8 @@
when: update_exim4_conf_conf is changed
command: update-exim4.conf
notify: restart exim4
- name: Alias for root
lineinfile:
path: /etc/aliases
line: "root: {{ alias_for_root }}"

1
site.yml
View File

@ -1,6 +1,5 @@
---
- import_playbook: base.yml
- import_playbook: cert_watch.yml
- import_playbook: pasteque.yml
- import_playbook: static_websites.yml