diff --git a/roles/setup/handlers/main.yml b/roles/setup/handlers/main.yml index fa64a88..547738d 100644 --- a/roles/setup/handlers/main.yml +++ b/roles/setup/handlers/main.yml @@ -8,11 +8,11 @@ # =================================================================================================== --- -- name: apt_update - apt: - update_cache: true +- name: Update apt + ansible.builtin.apt: + update-cache: true -- name: restart_sshd - service: +- name: Restart sshd + ansible.builtin.service: name: "{{ openssh_service }}" state: restarted diff --git a/roles/setup/tasks/main.yml b/roles/setup/tasks/main.yml index 08b2dd8..4eeb246 100644 --- a/roles/setup/tasks/main.yml +++ b/roles/setup/tasks/main.yml @@ -9,16 +9,22 @@ # =================================================================================================== --- -- include_vars: "{{ ansible_distribution }}.yml" +- name: Include distribution variables + ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" # Setup the ansible user -- include_tasks: users/ansible.yml -- include_tasks: users/noahk.yml +- name: Create ansible user + ansible.builtin.include_tasks: users/ansible.yml +- name: Create usable user + ansible.builtin.include_tasks: users/noahk.yml -# Setup the sshd -- include_tasks: system/openssh.yml + # Setup the sshd +- name: Setup openssh + ansible.builtin.include_tasks: system/openssh.yml # Setup the repositories for Debian based systems -- include_tasks: software/repositories.yml +- name: Setup Debian based repositories + ansible.builtin.include_tasks: software/repositories.yml -- include_tasks: software/acl.yml +- name: Install and configure UFW + ansible.builtin.include_tasks: software/ufw.yml diff --git a/roles/setup/tasks/software/acl.yml b/roles/setup/tasks/software/acl.yml deleted file mode 100644 index 5c3e5aa..0000000 --- a/roles/setup/tasks/software/acl.yml +++ /dev/null @@ -1,15 +0,0 @@ -# =================================================================================================== -# ? ABOUT -# @author : Noah Knegt -# @email : personal@noahknegt.com -# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations -# @createdOn : 01-06-2023 -# @description : -# =================================================================================================== - ---- -- name: Install acl - package: - name: - - acl - state: latest diff --git a/roles/setup/tasks/software/repositories.yml b/roles/setup/tasks/software/repositories.yml index 1fdac40..47740d6 100644 --- a/roles/setup/tasks/software/repositories.yml +++ b/roles/setup/tasks/software/repositories.yml @@ -9,9 +9,9 @@ --- - name: Install aptitude and software-properties-common - package: + ansible.builtin.package: name: - aptitude - software-properties-common - state: latest + state: present when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"] diff --git a/roles/setup/tasks/software/ufw.yml b/roles/setup/tasks/software/ufw.yml new file mode 100644 index 0000000..1fd275e --- /dev/null +++ b/roles/setup/tasks/software/ufw.yml @@ -0,0 +1,47 @@ +# =================================================================================================== +# ? ABOUT +# @author : Noah Knegt +# @email : personal@noahknegt.com +# @repo : https://git.noahknegt.com/noah.knegt/ansible-automations +# @createdOn : 01-06-2023 +# @description : +# =================================================================================================== + +--- +- name: Install UFW + ansible.builtin.package: + name: ufw + state: present + +- name: UFW deny all incoming traffic + community.general.ufw: + default: deny + direction: incoming + +- name: UFW allow all outbound traffic + community.general.ufw: + default: allow + direction: outgoing + +- name: Allow all access from RFC1918 networks to this host + community.general.ufw: + direction: incoming + rule: allow + src: "{{ item }}" + loop: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + +- name: UFW allow default ssh port + community.general.ufw: + direction: incoming + rule: limit + port: ssh + +- name: UFW allow custom ssh port + when: setup_openssh_port is defined + community.general.ufw: + direction: incoming + rule: allow + port: "{{ setup_openssh_port }}" diff --git a/roles/setup/tasks/system/openssh.yml b/roles/setup/tasks/system/openssh.yml index 71e2ceb..fb1f2ce 100644 --- a/roles/setup/tasks/system/openssh.yml +++ b/roles/setup/tasks/system/openssh.yml @@ -9,20 +9,22 @@ --- - name: Install or update openssh - package: - name: "{{ openssh_package }}" - state: latest + ansible.builtin.package: + name: "{{ setup_openssh_package }}" + state: present notify: - restart_sshd -- name: enable ssh daemon - service: +- name: Enable ssh daemon + when: inventory_hostname in groups['datacenter'] + ansible.builtin.service: name: "{{ openssh_service }}" state: started enabled: true -- name: configure sshd - template: +- name: Configure sshd + when: inventory_hostname in groups['datacenter'] + ansible.builtin.template: src: sshd_config.j2 dest: /etc/ssh/sshd_config owner: root @@ -31,10 +33,24 @@ notify: - restart_sshd -- name: copy sshd banner - copy: +- name: Copy sshd banner + ansible.builtin.copy: src: ssh_banner.net dest: /etc/issue.net owner: root group: root mode: 0644 + +- name: Copy ssh public key + ansible.builtin.authorized_key: + user: ansible + key: "{{ item }}" + with_file: + - ansible/ansible.pub + +- name: Copy ssh public key + ansible.builtin.authorized_key: + user: noahk + key: "{{ item }}" + with_file: + - noahk/noahk.pub diff --git a/roles/setup/tasks/users/ansible.yml b/roles/setup/tasks/users/ansible.yml index 08a7508..efb7010 100644 --- a/roles/setup/tasks/users/ansible.yml +++ b/roles/setup/tasks/users/ansible.yml @@ -9,12 +9,12 @@ --- - name: Add ansible group - group: + ansible.builtin.group: name: ansible state: present - name: Add new ansible user - user: + ansible.builtin.user: name: ansible group: ansible groups: ansible,{{ sudo_group }} @@ -23,7 +23,7 @@ shell: /bin/bash - name: Add ansible user to sudoers - copy: + ansible.builtin.copy: src: ansible/ansible_sudoers dest: /etc/sudoers.d/ansible owner: root @@ -31,18 +31,9 @@ mode: 0440 - name: Create .ssh directory - file: + ansible.builtin.file: path: /home/ansible/.ssh state: directory owner: ansible group: ansible mode: 0700 - with_items: - - dir: /home/ansible/.ssh - -- name: Copy ssh public key - authorized_key: - user: ansible - key: "{{ item }}" - with_file: - - ansible/ansible.pub diff --git a/roles/setup/tasks/users/noahk.yml b/roles/setup/tasks/users/noahk.yml index 89c923c..4c5be16 100644 --- a/roles/setup/tasks/users/noahk.yml +++ b/roles/setup/tasks/users/noahk.yml @@ -9,21 +9,21 @@ --- - name: Create the group - group: + ansible.builtin.group: name: noahk state: present - name: Create the user - user: + ansible.builtin.user: name: noahk group: noahk - groups: noahk,{{ sudo_group }} - password: "{{ noahk_password }}" + groups: noahk,{{ setup_sudo_group }} + password: "{{ setup_noahk_password }}" state: present shell: /bin/bash - name: Add user to sudoers - copy: + ansible.builtin.copy: src: noahk/noahk_sudoers dest: /etc/sudoers.d/noahk owner: root @@ -31,18 +31,9 @@ mode: 0440 - name: Create .ssh directory - file: + ansible.builtin.file: path: /home/noahk/.ssh state: directory owner: noahk group: noahk mode: 0700 - with_items: - - dir: /home/noahk/.ssh - -- name: Copy ssh public key - authorized_key: - user: noahk - key: "{{ item }}" - with_file: - - noahk/noahk.pub diff --git a/roles/setup/vars/Archlinux.yml b/roles/setup/vars/Archlinux.yml index c514b50..be67295 100644 --- a/roles/setup/vars/Archlinux.yml +++ b/roles/setup/vars/Archlinux.yml @@ -8,7 +8,7 @@ # =================================================================================================== --- -sudo_group: wheel -openssh_service: sshd -openssh_package: openssh -sftp_path: /usr/lib/ssh/sftp-server +setup_sudo_group: wheel +setup_openssh_service: sshd +setup_openssh_package: openssh +setup_sftp_path: /usr/lib/ssh/sftp-server diff --git a/roles/setup/vars/Debian.yml b/roles/setup/vars/Debian.yml index fb86373..9997744 100644 --- a/roles/setup/vars/Debian.yml +++ b/roles/setup/vars/Debian.yml @@ -8,7 +8,7 @@ # =================================================================================================== --- -sudo_group: sudo -openssh_service: ssh -openssh_package: openssh-server -sftp_path: /usr/lib/openssh/sftp-server +setup_sudo_group: sudo +setup_openssh_service: ssh +setup_openssh_package: openssh-server +setup_sftp_path: /usr/lib/openssh/sftp-server diff --git a/roles/setup/vars/Ubuntu.yml b/roles/setup/vars/Ubuntu.yml index 65d6eda..9997744 100644 --- a/roles/setup/vars/Ubuntu.yml +++ b/roles/setup/vars/Ubuntu.yml @@ -8,8 +8,7 @@ # =================================================================================================== --- -sudo_group: sudo -openssh_service: ssh -openssh_package: openssh-server -sftp_path: /usr/lib/openssh/sftp-server -ssh_port: 4422 +setup_sudo_group: sudo +setup_openssh_service: ssh +setup_openssh_package: openssh-server +setup_sftp_path: /usr/lib/openssh/sftp-server diff --git a/roles/setup/vars/main.yml b/roles/setup/vars/main.yml index d5795ca..cee4bb1 100644 --- a/roles/setup/vars/main.yml +++ b/roles/setup/vars/main.yml @@ -8,5 +8,5 @@ # =================================================================================================== --- -ansible_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' -noahk_password: '$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/' +setup_ansible_password: "$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/" +setup_noahk_password: "$6$8eLzx6DNI/aamHAp$ZJK3kpbXDaMDUxuCFzRbbYL78aqdDnRRd1zbQPO2ED.pQQdcuAEnwBI2Vf3a36j7I5ED4STx6TLQnB8RiY3Vw/"