147 lines
4.1 KiB
YAML
147 lines
4.1 KiB
YAML
# Basic Ansible playbook to set up security essentials: Nginx dhparams, fail2ban,
|
|
# unattended-upgrades, history logging, firewall, no SSH keys and Postfix
|
|
# relay/rewriting/aliases.
|
|
#
|
|
# Run with:
|
|
# ANSIBLE_STDOUT_CALLBACK=debug ansible-playbook deploy/basics.yml -i deploy/inventory.yml --verbose
|
|
- hosts: web
|
|
become: true
|
|
vars:
|
|
ansible_ssh_pipelining: true
|
|
tasks:
|
|
- name: Generate dhparams file for HTTP2
|
|
ansible.builtin.command:
|
|
cmd: openssl dhparam -out /etc/nginx/dhparam.pem 2048
|
|
creates: /etc/nginx/dhparam.pem
|
|
- name: Install fail2ban
|
|
apt:
|
|
pkg: fail2ban
|
|
|
|
- name: Install unattended-upgrades
|
|
apt:
|
|
pkg: unattended-upgrades
|
|
|
|
- name: Configure unattended upgrades overrides
|
|
# See defaults in 50unattended-upgrades.
|
|
copy:
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
Unattended-Upgrade::Automatic-Reboot "true";
|
|
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
|
Unattended-Upgrade::Mail "root";
|
|
|
|
- name: Add extensive history logging
|
|
blockinfile:
|
|
path: /etc/bash.bashrc
|
|
block: |
|
|
# Write to history file immediately (rather than only when shell is
|
|
# closed). For setting history length see HISTSIZE and HISTFILESIZE in
|
|
# bash(1).
|
|
shopt -s histappend
|
|
PROMPT_COMMAND='history -a'
|
|
HISTSIZE=1000000
|
|
HISTFILESIZE=1000000
|
|
insertafter: EOF
|
|
|
|
- name: Install `netfilter-persistent` && `iptables-persistent` packages
|
|
apt:
|
|
pkg:
|
|
- iptables-persistent
|
|
- netfilter-persistent
|
|
|
|
- name: Flush existing firewall rules
|
|
iptables:
|
|
flush: true
|
|
|
|
- name: Firewall rule - allow all loopback traffic
|
|
iptables:
|
|
action: append
|
|
chain: INPUT
|
|
in_interface: lo
|
|
jump: ACCEPT
|
|
|
|
- name: Firewall rule - allow established connections
|
|
iptables:
|
|
chain: INPUT
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
|
|
- name: Firewall rule - allow port ping traffic
|
|
iptables:
|
|
chain: INPUT
|
|
jump: ACCEPT
|
|
protocol: icmp
|
|
|
|
- name: Firewall rule - allow port 22/SSH traffic
|
|
iptables:
|
|
chain: INPUT
|
|
destination_port: '22'
|
|
jump: ACCEPT
|
|
protocol: tcp
|
|
|
|
- name: Firewall rule - allow port 80/HTTP traffic
|
|
iptables:
|
|
chain: INPUT
|
|
destination_port: '80'
|
|
jump: ACCEPT
|
|
protocol: tcp
|
|
|
|
- name: Firewall rule - allow port 443/HTTPS traffic
|
|
iptables:
|
|
chain: INPUT
|
|
destination_port: '443'
|
|
jump: ACCEPT
|
|
protocol: tcp
|
|
|
|
- name: Firewall rule - drop any traffic without rule
|
|
iptables:
|
|
chain: INPUT
|
|
jump: DROP
|
|
|
|
- name: Disable SSH password authentication
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: 'PasswordAuthentication no'
|
|
regexp: 'PasswordAuthentication '
|
|
|
|
|
|
# Postfix
|
|
- name: Postfix
|
|
apt:
|
|
pkg:
|
|
- postfix
|
|
- mailutils
|
|
|
|
## Commented because you only want this on first run ever.
|
|
# - name: Add file for SMTP credentials
|
|
# copy:
|
|
# dest: /etc/postfix/sasl_passwd
|
|
# content: |-
|
|
# # After updating, run `sudo postmap hash:/etc/postfix/sasl_passwd`.
|
|
# [pine.sfconservancy.org]:587 conference@sfconservancy.org:PASSWORD
|
|
|
|
- name: Configure Postfix envelope rewriting
|
|
copy:
|
|
dest: /etc/postfix/canonical
|
|
content: |-
|
|
/./ conference@sfconservancy.org
|
|
|
|
- name: Configure Postfix From header rewriting
|
|
copy:
|
|
dest: /etc/postfix/header_checks
|
|
content: |-
|
|
/^From:.*/ REPLACE From: conference@sfconservancy.org
|
|
|
|
- name: Configure Postfix for relaying
|
|
copy:
|
|
src: postfix/main.cf
|
|
dest: /etc/postfix/main.cf
|
|
|
|
- name: Alias mail to root
|
|
copy:
|
|
dest: /etc/aliases
|
|
content: |-
|
|
postmaster: root
|
|
root: sysadmin@sfconservancy.org, sysadmin@sturm.com.au
|