Files
@ e58a1891d554
Branch filter:
Location: symposion_app/deploy/basics.yml
e58a1891d554
4.1 KiB
text/x-yaml
Add migration for profile change, update CONFERENCE_ID for 2024
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 | # Basic Ansible playbook to set up security essentials: Nginx dhparams, fail2ban,
# unattended-upgrades, history logging, firewall, no SSH keys and Postfix
# relay/rewriting/aliases.
#
# Run with:
# ANSIBLE_STDOUT_CALLBACK=debug ansible-playbook deploy/basics.yml -i deploy/inventory.yml --verbose
- hosts: web
become: true
vars:
ansible_ssh_pipelining: true
tasks:
- name: Generate dhparams file for HTTP2
ansible.builtin.command:
cmd: openssl dhparam -out /etc/nginx/dhparam.pem 2048
creates: /etc/nginx/dhparam.pem
- name: Install fail2ban
apt:
pkg: fail2ban
- name: Install unattended-upgrades
apt:
pkg: unattended-upgrades
- name: Configure unattended upgrades overrides
# See defaults in 50unattended-upgrades.
copy:
dest: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Unattended-Upgrade::Mail "root";
- name: Add extensive history logging
blockinfile:
path: /etc/bash.bashrc
block: |
# Write to history file immediately (rather than only when shell is
# closed). For setting history length see HISTSIZE and HISTFILESIZE in
# bash(1).
shopt -s histappend
PROMPT_COMMAND='history -a'
HISTSIZE=1000000
HISTFILESIZE=1000000
insertafter: EOF
- name: Install `netfilter-persistent` && `iptables-persistent` packages
apt:
pkg:
- iptables-persistent
- netfilter-persistent
- name: Flush existing firewall rules
iptables:
flush: true
- name: Firewall rule - allow all loopback traffic
iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Firewall rule - allow established connections
iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Firewall rule - allow port ping traffic
iptables:
chain: INPUT
jump: ACCEPT
protocol: icmp
- name: Firewall rule - allow port 22/SSH traffic
iptables:
chain: INPUT
destination_port: '22'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - allow port 80/HTTP traffic
iptables:
chain: INPUT
destination_port: '80'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - allow port 443/HTTPS traffic
iptables:
chain: INPUT
destination_port: '443'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - drop any traffic without rule
iptables:
chain: INPUT
jump: DROP
- name: Disable SSH password authentication
lineinfile:
path: /etc/ssh/sshd_config
line: 'PasswordAuthentication no'
regexp: 'PasswordAuthentication '
# Postfix
- name: Postfix
apt:
pkg:
- postfix
- mailutils
## Commented because you only want this on first run ever.
# - name: Add file for SMTP credentials
# copy:
# dest: /etc/postfix/sasl_passwd
# content: |-
# # After updating, run `sudo postmap hash:/etc/postfix/sasl_passwd`.
# [mail.sfconservancy.org]:587 conference@sfconservancy.org:PASSWORD
- name: Configure Postfix envelope rewriting
copy:
dest: /etc/postfix/canonical
content: |-
/./ conference@sfconservancy.org
- name: Configure Postfix From header rewriting
copy:
dest: /etc/postfix/header_checks
content: |-
/^From:.*/ REPLACE From: conference@sfconservancy.org
- name: Configure Postfix for relaying
copy:
src: postfix/main.cf
dest: /etc/postfix/main.cf
- name: Alias mail to root
copy:
dest: /etc/aliases
content: |-
postmaster: root
root: sysadmin@sfconservancy.org, sysadmin@sturm.com.au
|