symposion_app/deploy/basics.yml

148 lines
4.1 KiB
YAML
Raw Normal View History

2023-05-02 06:34:25 +00:00
# Basic Ansible playbook to set up security essentials: Nginx dhparams, fail2ban,
# unattended-upgrades, history logging, firewall, no SSH keys and Postfix
# relay/rewriting/aliases.
#
# Run with:
# ANSIBLE_STDOUT_CALLBACK=debug ansible-playbook deploy/basics.yml -i deploy/inventory.yml --verbose
- hosts: web
become: true
vars:
ansible_ssh_pipelining: true
tasks:
- name: Generate dhparams file for HTTP2
ansible.builtin.command:
cmd: openssl dhparam -out /etc/nginx/dhparam.pem 2048
creates: /etc/nginx/dhparam.pem
- name: Install fail2ban
apt:
pkg: fail2ban
- name: Install unattended-upgrades
apt:
pkg: unattended-upgrades
- name: Configure unattended upgrades overrides
# See defaults in 50unattended-upgrades.
copy:
dest: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Unattended-Upgrade::Mail "root";
- name: Add extensive history logging
blockinfile:
path: /etc/bash.bashrc
block: |
# Write to history file immediately (rather than only when shell is
# closed). For setting history length see HISTSIZE and HISTFILESIZE in
# bash(1).
shopt -s histappend
PROMPT_COMMAND='history -a'
HISTSIZE=1000000
HISTFILESIZE=1000000
insertafter: EOF
- name: Install `netfilter-persistent` && `iptables-persistent` packages
apt:
pkg:
- iptables-persistent
- netfilter-persistent
- name: Flush existing firewall rules
iptables:
flush: true
- name: Firewall rule - allow all loopback traffic
iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Firewall rule - allow established connections
iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Firewall rule - allow port ping traffic
iptables:
chain: INPUT
jump: ACCEPT
protocol: icmp
- name: Firewall rule - allow port 22/SSH traffic
iptables:
chain: INPUT
destination_port: '22'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - allow port 80/HTTP traffic
iptables:
chain: INPUT
destination_port: '80'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - allow port 443/HTTPS traffic
iptables:
chain: INPUT
destination_port: '443'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - drop any traffic without rule
iptables:
chain: INPUT
jump: DROP
- name: Disable SSH password authentication
lineinfile:
path: /etc/ssh/sshd_config
line: 'PasswordAuthentication no'
regexp: 'PasswordAuthentication '
# Postfix
- name: Postfix
apt:
pkg:
- postfix
- mailutils
## Commented because you only want this on first run ever.
# - name: Add file for SMTP credentials
# copy:
# dest: /etc/postfix/sasl_passwd
# content: |-
# # After updating, run `sudo postmap hash:/etc/postfix/sasl_passwd`.
# [pine.sfconservancy.org]:587 conference@sfconservancy.org:PASSWORD
- name: Configure Postfix envelope rewriting
copy:
dest: /etc/postfix/canonical
content: |-
/./ conference@sfconservancy.org
- name: Configure Postfix From header rewriting
copy:
dest: /etc/postfix/header_checks
content: |-
/^From:.*/ REPLACE From: conference@sfconservancy.org
- name: Configure Postfix for relaying
copy:
src: postfix/main.cf
dest: /etc/postfix/main.cf
- name: Alias mail to root
copy:
dest: /etc/aliases
content: |-
postmaster: root
root: sysadmin@sfconservancy.org, sysadmin@sturm.com.au