infra/base.yml

---

- hosts: mdk
  tasks:
    - name: Configure hostname
      hostname:
        name: "{{ inventory_hostname_short }}"

    - name: Configure FQDN
      lineinfile:
        path: /etc/hosts
        regexp: '^127\.0\.0\.1'
        line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost"
        owner: root
        group: root
        mode: 0644

    - name: Install fail2ban
      apt:
        name: fail2ban
        state: present

    - name: Configure fail2ban for nginx
      copy:
        content: |
          [nginx-botsearch]
          enabled  = true
          port     = http,https
          logpath  = %(nginx_error_log)s
          maxretry = 2          
        dest: /etc/fail2ban/jail.d/nginx.conf
        mode: 0x644
      notify: reload fail2ban

    - name: Configure fail2ban bantime
      copy:
        content: |
          [DEFAULT]
          bantime  = 30d          
        dest: /etc/fail2ban/jail.d/mdk-bantime.conf
        mode: 0x644
      notify: reload fail2ban

    - name: Setup nftables
      include_role: name=nftables
      tags: always
      vars:
        nftables_conf: |
            #!/usr/sbin/nft -f

            flush ruleset

            table inet filter {
                chain input {
                    type filter hook input priority 0;
                    iif lo accept
                    ct state established,related accept
                    tcp dport { ssh, http, https, 5201 } ct state new accept
                    ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
                    counter drop
                }
            }            

    # From https://infosec.mozilla.org/guidelines/openssh
    - name: SSHd hardening
      blockinfile:
        marker: "# {mark} ANSIBLE MANAGED BLOCK (KexAlgorithms, Ciphers, MACs)"
        path: /etc/ssh/sshd_config
        state: present
        create: true
        block: |
          KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

          HostKey /etc/ssh/ssh_host_ed25519_key
          HostKey /etc/ssh/ssh_host_rsa_key
          HostKey /etc/ssh/ssh_host_ecdsa_key

          AuthenticationMethods publickey
          LogLevel VERBOSE          
      notify: restart sshd
      tags: ssh

    - name: msmtp config
      copy:
        dest: /etc/msmtprc
        content: |
          defaults
          auth           on
          tls            on
          tls_starttls   off
          tls_trust_file /etc/ssl/certs/ca-certificates.crt
          logfile        /var/log/msmtp

          account        galae
          auth           plain
          host           mail.galae.net
          port           465
          from           {{ vault_smtp_username }}
          user           {{ vault_smtp_username }}
          password       {{ vault_smtp_password }}

          account default : galae          

    - name: Install msmtp
      apt:
        name: [msmtp, msmtp-mta, bsd-mailx]

    - name: Ensure root crontab sends email from me
      community.general.cronvar:
        user: root
        name: MAILFROM
        value: "{{ vault_smtp_username }}"

    - name: Ensure my crontab sends email from me
      community.general.cronvar:
        user: mdk
        name: MAILFROM
        value: "{{ vault_smtp_username }}"

    - name: Ensure root crontab sends email to me
      community.general.cronvar:
        user: root
        name: MAILTO
        value: "{{ vault_smtp_username }}"

    - name: Ensure my crontab sends email to me
      community.general.cronvar:
        user: root
        name: MAILTO
        value: "{{ vault_smtp_username }}"


  handlers:
    - name: reload fail2ban
      service: name=fail2ban state=reloaded

    - name: restart sshd
      service: name=sshd state=restarted