self-hosting/roles/harden-linux/tasks/main.yml

- name: Delete root pw file /root/.pw (if present)
  file:
    path: /root/.pw
    state: absent

- name: Update APT package cache
  apt:
    update_cache: true
    cache_valid_time: 3600
  tags:
    - apt

- name: Install aptitude
  apt:
    pkg: aptitude
    state: present
  tags:
    - apt

- name: Upgrade APT to the latest packages
  apt:
    upgrade: safe

- name: Install required packages
  apt:
    state: present
    pkg: "{{item}}"
  with_items:
    - "{{harden_linux_required_packages}}"
  tags:
    - ufw

- name: Add deploy user
  user:
    name: "{{harden_linux_deploy_user}}"
    password: "{{harden_linux_deploy_user_password}}"
    uid: "{{harden_linux_deploy_user_uid}}"
    shell: "{{harden_linux_deploy_user_shell}}"
    home: "{{harden_linux_deploy_user_home}}"
  tags:
    - user

- name: Add authorized keys for deploy user
  authorized_key:
    user: "{{harden_linux_deploy_user}}"
    key: "{{item}}"
  with_items:
    - "{{harden_linux_deploy_user_public_keys}}"
  when: harden_linux_deploy_user_public_keys is defined
  tags:
    - user

- name: Add deploy user to sudoers
  lineinfile:
    dest: /etc/sudoers
    regexp: "{{harden_linux_deploy_user}} ALL"
    line: "{{harden_linux_deploy_user}} ALL=(ALL) NOPASSWD:ALL"
    state: present
  tags:
    - user
    - sudo

- name: Adjust APT update intervals
  copy:
    src: etc/apt/apt.conf.d/10periodic
    dest: /etc/apt/apt.conf.d/10periodic
    owner: root
    group: root
    mode: 0644
  tags:
    - apt

- name: Combine harden_linux_sshd_settings and harden_linux_sshd_settings_user (if defined)
  set_fact:
    harden_linux_sshd_settings: "{{harden_linux_sshd_settings | combine(harden_linux_sshd_settings_user|default({})) }}"
  tags:
    - ssh

- name: Ensure sshd_config setting
  lineinfile:
    dest: "/etc/ssh/sshd_config"
    regexp: "{{item}}"
    line: "{{harden_linux_sshd_settings[item]}}"
    state: "present"
  notify: "restart ssh"
  with_items:
    - "{{harden_linux_sshd_settings | list}}"
  tags:
    - ssh

- name: Combine harden_linux_sysctl_settings and harden_linux_sysctl_settings_user (if defined)
  set_fact:
    harden_linux_sysctl_settings: "{{harden_linux_sysctl_settings | combine(harden_linux_sysctl_settings_user|default({})) }}"
  tags:
    - sysctl

- name: Sysctl settings
  sysctl:
    name: "{{item}}"
    value: "{{harden_linux_sysctl_settings[item]}}"
    sysctl_set: yes
  with_items:
    - "{{harden_linux_sysctl_settings | list}}"
  tags:
    - sysctl

- name: Combine harden_linux_ufw_defaults and harden_linux_ufw_defaults_user (if defined)
  set_fact:
    harden_linux_ufw_defaults: "{{harden_linux_ufw_defaults | combine(harden_linux_ufw_defaults_user|default({})) }}"
  tags:
    - ufw

- name: UFW - Configure defaults
  lineinfile:
    dest: /etc/default/ufw
    regexp: "{{item}}"
    line: "{{harden_linux_ufw_defaults[item]}}"
    state: present
  notify: "reload ufw"
  with_items:
    - "{{harden_linux_ufw_defaults | list}}"
  tags:
    - ufw

- name: UFW - Apply firewall rules
  ufw:
    rule: "{{item.rule}}"
    interface: "{{item.interface | default('')}}"
    direction: "{{item.direction | default('in')}}"
    from_ip: "{{item.from_ip | default('any')}}"
    to_ip: "{{item.to_ip | default('any')}}"
    from_port: "{{item.from_port | default('')}}"
    to_port: "{{item.to_port | default('')}}"
    protocol: "{{item.protocol | default('any')}}"
    log: "{{item.log | default(False)}}"
  with_items: "{{harden_linux_ufw_rules}}"
  tags:
    - ufw
    - ufwrules

- name: UFW - Allow configured networks to communicate
  ufw:
    rule: allow
    src: "{{item}}"
  with_items:
    - "{{harden_linux_ufw_allow_networks}}"
  when: harden_linux_ufw_allow_networks is defined
  tags:
    - ufw

- name: UFW - Setup logging
  ufw:
    logging: "{{harden_linux_ufw_logging}}"
  tags:
    - ufw

- name: Update Sshguard white list
  lineinfile:
    dest: /etc/sshguard/whitelist
    regexp: "^{{item}}"
    line: "{{item}}"
    state: present
  with_items:
    - "{{harden_linux_sshguard_whitelist}}"
  tags:
    - sshguard

- name: UFW - Enable firewall/iptables
  ufw:
    state: enabled
  tags:
    - ufw

- name: Change root password
  user:
    name: "root"
    password: "{{harden_linux_root_password}}"
  when: harden_linux_root_password is defined
  tags:
    - user
Custom harden-linux role 2018-07-31 01:47:35 +02:00			`- name: Delete root pw file /root/.pw (if present)`
			`file:`
			`path: /root/.pw`
			`state: absent`

			`- name: Update APT package cache`
			`apt:`
			`update_cache: true`
			`cache_valid_time: 3600`
			`tags:`
			`- apt`

			`- name: Install aptitude`
			`apt:`
			`pkg: aptitude`
			`state: present`
			`tags:`
			`- apt`

			`- name: Upgrade APT to the latest packages`
			`apt:`
			`upgrade: safe`

			`- name: Install required packages`
			`apt:`
			`state: present`
			`pkg: "{{item}}"`
			`with_items:`
			`- "{{harden_linux_required_packages}}"`
			`tags:`
			`- ufw`

			`- name: Add deploy user`
			`user:`
			`name: "{{harden_linux_deploy_user}}"`
			`password: "{{harden_linux_deploy_user_password}}"`
			`uid: "{{harden_linux_deploy_user_uid}}"`
			`shell: "{{harden_linux_deploy_user_shell}}"`
			`home: "{{harden_linux_deploy_user_home}}"`
			`tags:`
			`- user`

			`- name: Add authorized keys for deploy user`
			`authorized_key:`
			`user: "{{harden_linux_deploy_user}}"`
			`key: "{{item}}"`
			`with_items:`
			`- "{{harden_linux_deploy_user_public_keys}}"`
			`when: harden_linux_deploy_user_public_keys is defined`
			`tags:`
			`- user`

			`- name: Add deploy user to sudoers`
			`lineinfile:`
			`dest: /etc/sudoers`
			`regexp: "{{harden_linux_deploy_user}} ALL"`
			`line: "{{harden_linux_deploy_user}} ALL=(ALL) NOPASSWD:ALL"`
			`state: present`
			`tags:`
			`- user`
			`- sudo`

			`- name: Adjust APT update intervals`
			`copy:`
			`src: etc/apt/apt.conf.d/10periodic`
			`dest: /etc/apt/apt.conf.d/10periodic`
			`owner: root`
			`group: root`
			`mode: 0644`
			`tags:`
			`- apt`

			`- name: Combine harden_linux_sshd_settings and harden_linux_sshd_settings_user (if defined)`
			`set_fact:`
			`harden_linux_sshd_settings: "{{harden_linux_sshd_settings \| combine(harden_linux_sshd_settings_user\|default({})) }}"`
			`tags:`
			`- ssh`

			`- name: Ensure sshd_config setting`
			`lineinfile:`
			`dest: "/etc/ssh/sshd_config"`
			`regexp: "{{item}}"`
			`line: "{{harden_linux_sshd_settings[item]}}"`
			`state: "present"`
			`notify: "restart ssh"`
			`with_items:`
			`- "{{harden_linux_sshd_settings \| list}}"`
			`tags:`
			`- ssh`

			`- name: Combine harden_linux_sysctl_settings and harden_linux_sysctl_settings_user (if defined)`
			`set_fact:`
			`harden_linux_sysctl_settings: "{{harden_linux_sysctl_settings \| combine(harden_linux_sysctl_settings_user\|default({})) }}"`
			`tags:`
			`- sysctl`

			`- name: Sysctl settings`
			`sysctl:`
			`name: "{{item}}"`
			`value: "{{harden_linux_sysctl_settings[item]}}"`
			`sysctl_set: yes`
			`with_items:`
			`- "{{harden_linux_sysctl_settings \| list}}"`
			`tags:`
			`- sysctl`

			`- name: Combine harden_linux_ufw_defaults and harden_linux_ufw_defaults_user (if defined)`
			`set_fact:`
			`harden_linux_ufw_defaults: "{{harden_linux_ufw_defaults \| combine(harden_linux_ufw_defaults_user\|default({})) }}"`
			`tags:`
			`- ufw`

			`- name: UFW - Configure defaults`
			`lineinfile:`
			`dest: /etc/default/ufw`
			`regexp: "{{item}}"`
			`line: "{{harden_linux_ufw_defaults[item]}}"`
			`state: present`
			`notify: "reload ufw"`
			`with_items:`
			`- "{{harden_linux_ufw_defaults \| list}}"`
			`tags:`
			`- ufw`

			`- name: UFW - Apply firewall rules`
			`ufw:`
			`rule: "{{item.rule}}"`
			`interface: "{{item.interface \| default('')}}"`
			`direction: "{{item.direction \| default('in')}}"`
			`from_ip: "{{item.from_ip \| default('any')}}"`
			`to_ip: "{{item.to_ip \| default('any')}}"`
			`from_port: "{{item.from_port \| default('')}}"`
			`to_port: "{{item.to_port \| default('')}}"`
			`protocol: "{{item.protocol \| default('any')}}"`
			`log: "{{item.log \| default(False)}}"`
			`with_items: "{{harden_linux_ufw_rules}}"`
			`tags:`
			`- ufw`
			`- ufwrules`

			`- name: UFW - Allow configured networks to communicate`
			`ufw:`
			`rule: allow`
			`src: "{{item}}"`
			`with_items:`
			`- "{{harden_linux_ufw_allow_networks}}"`
			`when: harden_linux_ufw_allow_networks is defined`
			`tags:`
			`- ufw`

			`- name: UFW - Setup logging`
			`ufw:`
			`logging: "{{harden_linux_ufw_logging}}"`
			`tags:`
			`- ufw`

			`- name: Update Sshguard white list`
			`lineinfile:`
			`dest: /etc/sshguard/whitelist`
			`regexp: "^{{item}}"`
			`line: "{{item}}"`
			`state: present`
			`with_items:`
			`- "{{harden_linux_sshguard_whitelist}}"`
			`tags:`
			`- sshguard`

			`- name: UFW - Enable firewall/iptables`
			`ufw:`
			`state: enabled`
			`tags:`
			`- ufw`

			`- name: Change root password`
			`user:`
			`name: "root"`
			`password: "{{harden_linux_root_password}}"`
			`when: harden_linux_root_password is defined`
			`tags:`
			`- user`