diff --git a/README.md b/README.md index acad8d3..a062b16 100644 --- a/README.md +++ b/README.md @@ -9,3 +9,4 @@ Following roles have been defined to make creating a server configuration easy: - **acme** defines roles for handling the automatic handling of certificates with *acme.sh* - **application** installs main application - **certificate** issues a given certificate +- **common** defines the installation of common packages and common configurations like firewall diff --git a/roles/close_credentials/tasks/main.yml b/roles/close_credentials/tasks/main.yml new file mode 100644 index 0000000..29026cd --- /dev/null +++ b/roles/close_credentials/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- name: Close storage for ansible credentials + file: + path: "/etc/ansible-credentials" + state: directory + owner: root + group: ansible-credentials + mode: 0700 diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml new file mode 100644 index 0000000..0dd63f4 --- /dev/null +++ b/roles/common/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart ssh + systemd: + status: restarted + name: ssh diff --git a/roles/common/tasks/credentials.yml b/roles/common/tasks/credentials.yml new file mode 100644 index 0000000..05b70b7 --- /dev/null +++ b/roles/common/tasks/credentials.yml @@ -0,0 +1,23 @@ +--- + +- name: Create group for access to ansible credentials + group: + name: ansible-credentials # TODO Export to variable + state: present + system: yes + +- name: Configure storage for ansible credentials + file: + path: "/etc/ansible-credentials" # TODO Export to variable + state: directory + owner: root + group: ansible-credentials + mode: 0770 + +- name: Allow access to ansible credentials + user: + append: yes + name: "{{ ansible_user }}" + groups: + - ansible-credentials + diff --git a/roles/common/tasks/locales.yml b/roles/common/tasks/locales.yml new file mode 100644 index 0000000..65c871f --- /dev/null +++ b/roles/common/tasks/locales.yml @@ -0,0 +1,11 @@ +--- + +- name: Configure timezone + timezone: + name: "{{ TIMEZONE }}" + when: TIMEZONE is defined + +- name: Configure vim as defualt editor + alternatives: + name: editor + path: /usr/bin/vim.basic diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..8400df4 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,16 @@ +--- + +- name: Configure apt packages + include_tasks: packages.yml + +- name: Configure sshd + include_tasks: sshd.yml + +- name: Configure ufw + include_tasks: ufw.yml + +- name: Configure ansible credentials + include_tasks: credentials.yml + +- name: Configure locales + include_tasks: locales.yml diff --git a/roles/common/tasks/packages.yml b/roles/common/tasks/packages.yml new file mode 100644 index 0000000..603f191 --- /dev/null +++ b/roles/common/tasks/packages.yml @@ -0,0 +1,27 @@ +--- + +- name: Update packages and install common packaged + apt: + name: + - acl + - apt-transport-https + - ca-certificates + - cron + - curl + - git + - gnupg2 + - htop + - python + - python-pip + - software-properties-common + - tmux + - ufw + - vim + - wget + - zsh + state: latest + allow_unauthenticated: no + update_cache: yes + cache_valid_time: 3600 + autoclean: yes + autoremove: yes diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml new file mode 100644 index 0000000..00b0e28 --- /dev/null +++ b/roles/common/tasks/sshd.yml @@ -0,0 +1,16 @@ +--- + +- name: Allow ssh on firewall + ufw: + rule: allow + port: 22 + proto: tcp + +- name: Disable password authentication on ssh + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^PasswordAuthentication " + line: "PasswordAuthentication no" + notify: restart ssh + +# TODO Collect SSH Host Keys diff --git a/roles/common/tasks/ufw.yml b/roles/common/tasks/ufw.yml new file mode 100644 index 0000000..2da975a --- /dev/null +++ b/roles/common/tasks/ufw.yml @@ -0,0 +1,6 @@ +--- + +- name: Enable firewall with deny by default + ufw: + state: enabled + policy: deny