From 64ca02c64852f79dbf056cc383c691d9a5cc1963 Mon Sep 17 00:00:00 2001 From: Julien Palard Date: Tue, 19 Mar 2024 22:15:09 +0100 Subject: [PATCH] Configure mailname so exim understands mails to root local, thus it needs to read aliases. --- base.yml | 103 --------------------------------- laptop.yml | 4 ++ mdk.fr.yml | 3 + roles/common/handlers/main.yml | 7 +++ roles/common/tasks/main.yml | 89 ++++++++++++++++++++++++++++ roles/exim/tasks/main.yml | 5 ++ site.yml | 1 - 7 files changed, 108 insertions(+), 104 deletions(-) delete mode 100644 base.yml create mode 100644 roles/common/handlers/main.yml create mode 100644 roles/common/tasks/main.yml diff --git a/base.yml b/base.yml deleted file mode 100644 index 540b549..0000000 --- a/base.yml +++ /dev/null @@ -1,103 +0,0 @@ ---- - -- hosts: mdk - tasks: - - name: Configure hostname - hostname: - name: "{{ inventory_hostname_short }}" - - - name: Configure FQDN - lineinfile: - path: /etc/hosts - regexp: '^127\.0\.0\.1' - line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost" - owner: root - group: root - mode: 0644 - - - name: Install fail2ban - apt: - name: fail2ban - state: present - - - name: Configure fail2ban for nginx - copy: - content: | - [nginx-botsearch] - enabled = true - port = http,https - logpath = %(nginx_error_log)s - maxretry = 2 - dest: /etc/fail2ban/jail.d/nginx.conf - mode: 0x644 - notify: reload fail2ban - - - name: Configure fail2ban bantime - copy: - content: | - [DEFAULT] - bantime = 30d - dest: /etc/fail2ban/jail.d/mdk-bantime.conf - mode: 0x644 - notify: reload fail2ban - - - name: Setup nftables - include_role: name=nftables - tags: always - vars: - nftables_conf: | - #!/usr/sbin/nft -f - - flush ruleset - - table inet filter { - chain input { - type filter hook input priority 0; - iif lo accept - ct state established,related accept - tcp dport { ssh, http, https, 5201 } ct state new accept - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - counter drop - } - } - - # From https://infosec.mozilla.org/guidelines/openssh - - name: SSHd hardening - blockinfile: - marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)" - path: /etc/ssh/sshd_config - state: present - create: true - block: | - KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com - - HostKey /etc/ssh/ssh_host_ed25519_key - HostKey /etc/ssh/ssh_host_rsa_key - HostKey /etc/ssh/ssh_host_ecdsa_key - - AuthenticationMethods publickey - LogLevel VERBOSE - notify: restart sshd - tags: ssh - - - name: Ensure root crontab sends email to me - community.general.cronvar: - user: root - name: MAILTO - value: "{{ vault_smtp_username }}" - - - name: Ensure my crontab sends email to me - community.general.cronvar: - user: root - name: MAILTO - value: "{{ vault_smtp_username }}" - - - handlers: - - name: reload fail2ban - service: name=fail2ban state=reloaded - - - name: restart sshd - service: name=sshd state=restarted diff --git a/laptop.yml b/laptop.yml index 8dc2f87..40a8488 100644 --- a/laptop.yml +++ b/laptop.yml @@ -2,9 +2,13 @@ - hosts: laptops tasks: + - name: Common setup + include_role: name=common + - name: Setup laptop include_role: name=exim vars: + alias_for_root: "julien@palard.fr" smtp_host: "{{ vault_smtp_host }}" smtp_port: "{{ vault_smtp_port }}" smtp_username: "{{ vault_smtp_username }}" diff --git a/mdk.fr.yml b/mdk.fr.yml index 70cd1fd..318eb58 100644 --- a/mdk.fr.yml +++ b/mdk.fr.yml @@ -4,6 +4,9 @@ vars: letsencrypt_email: julien@palard.fr tasks: + - name: Common setup + include_role: name=common + - name: Setup email include_role: name=exim vars: diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml new file mode 100644 index 0000000..e44b2e1 --- /dev/null +++ b/roles/common/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: reload fail2ban + service: name=fail2ban state=reloaded + +- name: restart sshd + service: name=sshd state=restarted diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..b1ee8f1 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,89 @@ +--- + +- name: Configure hostname + hostname: + name: "{{ inventory_hostname_short }}" + +- name: Configure mailname + copy: + content: "{{ inventory_hostname }}\n" + dest: /etc/mailname + owner: root + group: root + mode: 0644 + +- name: Configure FQDN + lineinfile: + path: /etc/hosts + regexp: '^127\.0\.0\.1' + line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost" + owner: root + group: root + mode: 0644 + +- name: Install fail2ban + apt: + name: fail2ban + state: present + +- name: Configure fail2ban for nginx + copy: + content: | + [nginx-botsearch] + enabled = true + port = http,https + logpath = %(nginx_error_log)s + maxretry = 2 + dest: /etc/fail2ban/jail.d/nginx.conf + mode: 0x644 + notify: reload fail2ban + +- name: Configure fail2ban bantime + copy: + content: | + [DEFAULT] + bantime = 30d + dest: /etc/fail2ban/jail.d/mdk-bantime.conf + mode: 0x644 + notify: reload fail2ban + +- name: Setup nftables + include_role: name=nftables + tags: always + vars: + nftables_conf: | + #!/usr/sbin/nft -f + + flush ruleset + + table inet filter { + chain input { + type filter hook input priority 0; + iif lo accept + ct state established,related accept + tcp dport { ssh, http, https, 5201 } ct state new accept + ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept + counter drop + } + } + +# From https://infosec.mozilla.org/guidelines/openssh +- name: SSHd hardening + blockinfile: + marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)" + path: /etc/ssh/sshd_config + state: present + create: true + block: | + KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + + HostKey /etc/ssh/ssh_host_ed25519_key + HostKey /etc/ssh/ssh_host_rsa_key + HostKey /etc/ssh/ssh_host_ecdsa_key + + AuthenticationMethods publickey + LogLevel VERBOSE + notify: restart sshd + tags: ssh diff --git a/roles/exim/tasks/main.yml b/roles/exim/tasks/main.yml index cdd6412..ce5c380 100644 --- a/roles/exim/tasks/main.yml +++ b/roles/exim/tasks/main.yml @@ -77,3 +77,8 @@ when: update_exim4_conf_conf is changed command: update-exim4.conf notify: restart exim4 + +- name: Alias for root + lineinfile: + path: /etc/aliases + line: "root: {{ alias_for_root }}" diff --git a/site.yml b/site.yml index bc33c66..77f2b97 100644 --- a/site.yml +++ b/site.yml @@ -1,6 +1,5 @@ --- -- import_playbook: base.yml - import_playbook: cert_watch.yml - import_playbook: pasteque.yml - import_playbook: static_websites.yml