initial commit
This commit is contained in:
commit
6f50de798b
24 changed files with 1082 additions and 0 deletions
16
roles/baseline/tasks/firewall.yml
Normal file
16
roles/baseline/tasks/firewall.yml
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
- name: Directory for firewall parts
|
||||
ansible.builtin.file:
|
||||
group: root
|
||||
owner: root
|
||||
name: /etc/firewall.d/
|
||||
mode: "0700"
|
||||
state: directory
|
||||
|
||||
- name: Firewall template
|
||||
ansible.builtin.template:
|
||||
dest: /etc/network/if-pre-up.d/firewall
|
||||
group: root
|
||||
owner: root
|
||||
mode: "0755"
|
||||
src: firewall.j2
|
||||
notify: Restart firewall
|
||||
11
roles/baseline/tasks/main.yml
Normal file
11
roles/baseline/tasks/main.yml
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
- name: Manage apt packages
|
||||
ansible.builtin.import_tasks: packages.yml
|
||||
|
||||
- name: Manage global firewall
|
||||
ansible.builtin.import_tasks: firewall.yml
|
||||
|
||||
- name: Manage root user
|
||||
ansible.builtin.import_tasks: rootuser.yml
|
||||
|
||||
- name: Ensure handlers have ran
|
||||
ansible.builtin.meta: flush_handlers
|
||||
47
roles/baseline/tasks/packages.yml
Normal file
47
roles/baseline/tasks/packages.yml
Normal file
|
|
@ -0,0 +1,47 @@
|
|||
- name: Keep apt repository list uptodate
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
cache_valid_time: 3600
|
||||
# Even if we "changed it", it's merely a cache, so ignore
|
||||
changed_when: false
|
||||
|
||||
- name: Update system packages to lates
|
||||
ansible.builtin.apt:
|
||||
upgrade: dist
|
||||
|
||||
- name: Remove unused packages
|
||||
ansible.builtin.apt:
|
||||
autoremove: true
|
||||
|
||||
# The following is a list of utilities that I personally use
|
||||
# to make my life easier. It is opiniated and not needed...
|
||||
- name: Install utilities to make life easier
|
||||
ansible.builtin.apt:
|
||||
pkg:
|
||||
- apt-dater
|
||||
- mosh
|
||||
- mc
|
||||
- vim
|
||||
- curl
|
||||
- jq
|
||||
- host
|
||||
- telnet
|
||||
- screen
|
||||
- tmux
|
||||
- tcpdump
|
||||
- sqlite3
|
||||
- bash-completion
|
||||
- mtr-tiny
|
||||
- iotop
|
||||
- iftop
|
||||
- htop
|
||||
- ncdu
|
||||
|
||||
- name: Firewall for mosh
|
||||
ansible.builtin.template:
|
||||
dest: /etc/firewall.d/mosh
|
||||
group: root
|
||||
owner: root
|
||||
mode: "0755"
|
||||
src: mosh.j2
|
||||
notify: Restart firewall
|
||||
27
roles/baseline/tasks/rootuser.yml
Normal file
27
roles/baseline/tasks/rootuser.yml
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
- name: Set root password
|
||||
ansible.builtin.user:
|
||||
name: root
|
||||
password: "{{ root_password }}"
|
||||
|
||||
- name: Ensure ssh directory for root
|
||||
ansible.builtin.file:
|
||||
state: directory
|
||||
path: /root/.ssh
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0700"
|
||||
|
||||
- name: Set authorized keys for root
|
||||
ansible.builtin.copy:
|
||||
content: "{{ root_sshkeys | join('\n') }}"
|
||||
dest: /root/.ssh/authorized_keys
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
|
||||
- name: Only allow root ssh
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "PermitRootLogin prohibit-password"
|
||||
regexp: "^PermitRootLogin "
|
||||
notify: Restart sshd
|
||||
Loading…
Add table
Add a link
Reference in a new issue