# Basic Ansible playbook to set up security essentials: Nginx dhparams, fail2ban, # unattended-upgrades, history logging, firewall, no SSH keys and Postfix # relay/rewriting/aliases. # # Run with: # ANSIBLE_STDOUT_CALLBACK=debug ansible-playbook deploy/basics.yml -i deploy/inventory.yml --verbose - hosts: web become: true vars: ansible_ssh_pipelining: true tasks: - name: Generate dhparams file for HTTP2 ansible.builtin.command: cmd: openssl dhparam -out /etc/nginx/dhparam.pem 2048 creates: /etc/nginx/dhparam.pem - name: Install fail2ban apt: pkg: fail2ban - name: Install unattended-upgrades apt: pkg: unattended-upgrades - name: Configure unattended upgrades overrides # See defaults in 50unattended-upgrades. copy: dest: /etc/apt/apt.conf.d/20auto-upgrades content: | APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-Time "02:00"; Unattended-Upgrade::Mail "root"; - name: Add extensive history logging blockinfile: path: /etc/bash.bashrc block: | # Write to history file immediately (rather than only when shell is # closed). For setting history length see HISTSIZE and HISTFILESIZE in # bash(1). shopt -s histappend PROMPT_COMMAND='history -a' HISTSIZE=1000000 HISTFILESIZE=1000000 insertafter: EOF - name: Install `netfilter-persistent` && `iptables-persistent` packages apt: pkg: - iptables-persistent - netfilter-persistent - name: Flush existing firewall rules iptables: flush: true - name: Firewall rule - allow all loopback traffic iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT - name: Firewall rule - allow established connections iptables: chain: INPUT ctstate: ESTABLISHED,RELATED jump: ACCEPT - name: Firewall rule - allow port ping traffic iptables: chain: INPUT jump: ACCEPT protocol: icmp - name: Firewall rule - allow port 22/SSH traffic iptables: chain: INPUT destination_port: '22' jump: ACCEPT protocol: tcp - name: Firewall rule - allow port 80/HTTP traffic iptables: chain: INPUT destination_port: '80' jump: ACCEPT protocol: tcp - name: Firewall rule - allow port 443/HTTPS traffic iptables: chain: INPUT destination_port: '443' jump: ACCEPT protocol: tcp - name: Firewall rule - drop any traffic without rule iptables: chain: INPUT jump: DROP - name: Disable SSH password authentication lineinfile: path: /etc/ssh/sshd_config line: 'PasswordAuthentication no' regexp: 'PasswordAuthentication ' # Postfix - name: Postfix apt: pkg: - postfix - mailutils ## Commented because you only want this on first run ever. # - name: Add file for SMTP credentials # copy: # dest: /etc/postfix/sasl_passwd # content: |- # # After updating, run `sudo postmap hash:/etc/postfix/sasl_passwd`. # [pine.sfconservancy.org]:587 conference@sfconservancy.org:PASSWORD - name: Configure Postfix envelope rewriting copy: dest: /etc/postfix/canonical content: |- /./ conference@sfconservancy.org - name: Configure Postfix From header rewriting copy: dest: /etc/postfix/header_checks content: |- /^From:.*/ REPLACE From: conference@sfconservancy.org - name: Configure Postfix for relaying copy: src: postfix/main.cf dest: /etc/postfix/main.cf - name: Alias mail to root copy: dest: /etc/aliases content: |- postmaster: root root: sysadmin@sfconservancy.org, sysadmin@sturm.com.au