Added role common

5 years ago · d3494ed1b9
parent 4862b9dd69
commit d3494ed1b9
9 changed files with 115 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -9,3 +9,4 @@ Following roles have been defined to make creating a server configuration easy:
 - **acme** defines roles for handling the automatic handling of certificates with *acme.sh*
  - **application** installs main application
  - **certificate** issues a given certificate
+- **common** defines the installation of common packages and common configurations like firewall
--- a/roles/close_credentials/tasks/main.yml
+++ b/roles/close_credentials/tasks/main.yml
@ -0,0 +1,9 @@
+---
+
+- name: Close storage for ansible credentials
+  file:
+    path: "/etc/ansible-credentials"
+    state: directory
+    owner: root
+    group: ansible-credentials
+    mode: 0700
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -0,0 +1,6 @@
+---
+
+- name: restart ssh
+  systemd:
+    status: restarted
+    name: ssh
--- a/roles/common/tasks/credentials.yml
+++ b/roles/common/tasks/credentials.yml
@ -0,0 +1,23 @@
+---
+
+- name: Create group for access to ansible credentials
+  group:
+    name: ansible-credentials # TODO Export to variable
+    state: present
+    system: yes
+
+- name: Configure storage for ansible credentials
+  file:
+    path: "/etc/ansible-credentials" # TODO Export to variable
+    state: directory
+    owner: root
+    group: ansible-credentials
+    mode: 0770
+
+- name: Allow access to ansible credentials
+  user:
+    append: yes
+    name: "{{ ansible_user }}"
+    groups:
+      - ansible-credentials
+
--- a/roles/common/tasks/locales.yml
+++ b/roles/common/tasks/locales.yml
@ -0,0 +1,11 @@
+---
+
+- name: Configure timezone
+  timezone:
+    name: "{{ TIMEZONE }}"
+  when: TIMEZONE is defined
+
+- name: Configure vim as defualt editor
+  alternatives:
+    name: editor
+    path: /usr/bin/vim.basic
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -0,0 +1,16 @@
+---
+
+- name: Configure apt packages
+  include_tasks: packages.yml
+
+- name: Configure sshd
+  include_tasks: sshd.yml
+
+- name: Configure ufw
+  include_tasks: ufw.yml
+
+- name: Configure ansible credentials
+  include_tasks: credentials.yml
+
+- name: Configure locales
+  include_tasks: locales.yml
--- a/roles/common/tasks/packages.yml
+++ b/roles/common/tasks/packages.yml
@ -0,0 +1,27 @@
+---
+
+- name: Update packages and install common packaged
+  apt:
+    name:
+      - acl
+      - apt-transport-https
+      - ca-certificates
+      - cron
+      - curl
+      - git
+      - gnupg2
+      - htop
+      - python
+      - python-pip
+      - software-properties-common
+      - tmux
+      - ufw
+      - vim
+      - wget
+      - zsh
+    state: latest
+    allow_unauthenticated: no
+    update_cache: yes
+    cache_valid_time: 3600
+    autoclean: yes
+    autoremove: yes
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@ -0,0 +1,16 @@
+---
+
+- name: Allow ssh on firewall
+  ufw:
+    rule: allow
+    port: 22
+    proto: tcp
+
+- name: Disable password authentication on ssh
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^PasswordAuthentication "
+    line: "PasswordAuthentication no"
+  notify: restart ssh
+
+# TODO Collect SSH Host Keys
--- a/roles/common/tasks/ufw.yml
+++ b/roles/common/tasks/ufw.yml
@ -0,0 +1,6 @@
+---
+
+- name: Enable firewall with deny by default
+  ufw:
+    state: enabled
+    policy: deny