diff --git a/deploy/basics.yml b/deploy/basics.yml new file mode 100644 index 0000000000000000000000000000000000000000..5d80a067c8311d0b37e18e3ac7daa58c1dc8ceb2 --- /dev/null +++ b/deploy/basics.yml @@ -0,0 +1,147 @@ +# Basic Ansible playbook to set up security essentials: Nginx dhparams, fail2ban, +# unattended-upgrades, history logging, firewall, no SSH keys and Postfix +# relay/rewriting/aliases. +# +# Run with: +# ANSIBLE_STDOUT_CALLBACK=debug ansible-playbook deploy/basics.yml -i deploy/inventory.yml --verbose +- hosts: web + become: true + vars: + ansible_ssh_pipelining: true + tasks: + - name: Generate dhparams file for HTTP2 + ansible.builtin.command: + cmd: openssl dhparam -out /etc/nginx/dhparam.pem 2048 + creates: /etc/nginx/dhparam.pem + - name: Install fail2ban + apt: + pkg: fail2ban + + - name: Install unattended-upgrades + apt: + pkg: unattended-upgrades + + - name: Configure unattended upgrades overrides + # See defaults in 50unattended-upgrades. + copy: + dest: /etc/apt/apt.conf.d/20auto-upgrades + content: | + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Unattended-Upgrade "1"; + Unattended-Upgrade::Automatic-Reboot "true"; + Unattended-Upgrade::Automatic-Reboot-Time "02:00"; + Unattended-Upgrade::Mail "root"; + + - name: Add extensive history logging + blockinfile: + path: /etc/bash.bashrc + block: | + # Write to history file immediately (rather than only when shell is + # closed). For setting history length see HISTSIZE and HISTFILESIZE in + # bash(1). + shopt -s histappend + PROMPT_COMMAND='history -a' + HISTSIZE=1000000 + HISTFILESIZE=1000000 + insertafter: EOF + + - name: Install `netfilter-persistent` && `iptables-persistent` packages + apt: + pkg: + - iptables-persistent + - netfilter-persistent + + - name: Flush existing firewall rules + iptables: + flush: true + + - name: Firewall rule - allow all loopback traffic + iptables: + action: append + chain: INPUT + in_interface: lo + jump: ACCEPT + + - name: Firewall rule - allow established connections + iptables: + chain: INPUT + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + + - name: Firewall rule - allow port ping traffic + iptables: + chain: INPUT + jump: ACCEPT + protocol: icmp + + - name: Firewall rule - allow port 22/SSH traffic + iptables: + chain: INPUT + destination_port: '22' + jump: ACCEPT + protocol: tcp + + - name: Firewall rule - allow port 80/HTTP traffic + iptables: + chain: INPUT + destination_port: '80' + jump: ACCEPT + protocol: tcp + + - name: Firewall rule - allow port 443/HTTPS traffic + iptables: + chain: INPUT + destination_port: '443' + jump: ACCEPT + protocol: tcp + + - name: Firewall rule - drop any traffic without rule + iptables: + chain: INPUT + jump: DROP + + - name: Disable SSH password authentication + lineinfile: + path: /etc/ssh/sshd_config + line: 'PasswordAuthentication no' + regexp: 'PasswordAuthentication ' + + + # Postfix + - name: Postfix + apt: + pkg: + - postfix + - mailutils + + ## Commented because you only want this on first run ever. + # - name: Add file for SMTP credentials + # copy: + # dest: /etc/postfix/sasl_passwd + # content: |- + # # After updating, run `sudo postmap hash:/etc/postfix/sasl_passwd`. + # [pine.sfconservancy.org]:587 conference@sfconservancy.org:PASSWORD + + - name: Configure Postfix envelope rewriting + copy: + dest: /etc/postfix/canonical + content: |- + /./ conference@sfconservancy.org + + - name: Configure Postfix From header rewriting + copy: + dest: /etc/postfix/header_checks + content: |- + /^From:.*/ REPLACE From: conference@sfconservancy.org + + - name: Configure Postfix for relaying + copy: + src: postfix/main.cf + dest: /etc/postfix/main.cf + + - name: Alias mail to root + copy: + dest: /etc/aliases + content: |- + postmaster: root + root: sysadmin@sfconservancy.org, sysadmin@sturm.com.au