ansible/playbook.yml at master · cryptolandtech/ansible · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
---
- name: Initial Ubuntu 18.04 installation
  hosts: all
  remote_user: root
  #remote_user: "{{ create_user }}"
  #become: true
  gather_facts: true
  vars_files:
    - vars/default.yml

  tasks:
    - name: Update cache & upgrade
      apt:
        update_cache: yes
        upgrade: 'yes'

    # Sudo Group Setup
    - name: Make sure we have a 'wheel' group
      group:
        name: wheel
        state: present

    - name: Allow 'wheel' group to have passwordless sudo
      lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%wheel'
        line: '%wheel ALL=(ALL) NOPASSWD: ALL'
        validate: '/usr/sbin/visudo -cf %s'

    # User + Key Setup
    - name: Create a new regular user with sudo privileges
      user:
        name: "{{ create_user }}"
        state: present
        groups: wheel
        append: true
        create_home: true
        shell: /bin/bash

    - name: Set authorized key for remote user
      authorized_key:
        user: "{{ create_user }}"
        state: present
        key: "{{ copy_local_key }}"

    - name: ssh config
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      with_items:
        - { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no' }
        - { regexp: '^#?PermitEmptyPasswords', line: 'PermitEmptyPasswords no' }
        - { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no' }
        - { regexp: '^#?ChallengeResponseAuthentication', line: 'ChallengeResponseAuthentication no' }
        - { regexp: '^#?MaxAuthTries', line: 'MaxAuthTries 3' }
        - { regexp: '^#?ClientAliveInterval', line: 'ClientAliveInterval 300' }
        - { regexp: '^#?UsePAM', line: 'UsePAM yes' }
        - { regexp: '^#?AllowUsers', line: 'AllowUsers {{ create_user }}' }
      notify:
        - restart_ssh


    # Install Packages
    - name: Update apt
      apt: update_cache=yes

    - name: Install required packages
      apt: name={{ sys_packages }} state=latest

    # Fail2ban
    - name: update configuration file /etc/fail2ban/fail2ban.local
      template:
        src: fail2ban.local
        dest: /etc/fail2ban/fail2ban.local
        owner: root
        group: root
        mode: 0644
      notify: restart_fail2ban

    # UFW Setup
    - name: UFW - Allow SSH connections
      ufw:
        rule: allow
        name: OpenSSH

    - name: UFW - Deny all other incoming traffic by default
      ufw:
        state: disabled
        policy: deny
        direction: incoming


    ### Docker setup.
    - name: Install Docker
      block:
        - name: Add Docker gpg key
          apt_key:
            url: https://download.docker.com/linux/ubuntu/gpg
            state: present

        - name: Add Docker Repository
          apt_repository:
            repo: deb https://download.docker.com/linux/ubuntu bionic stable
            state: present

        - name: Update apt and install docker-ce
          apt: update_cache=yes name=docker-ce state=latest
          notify:
            - restart_docker
      #when: install_docker == true
      when: '"docker" in custom_packages'
    # Telegraf setup
    - name: Add Telegraf repo
      lineinfile:
        path: /etc/apt/sources.list.d/influxdata.list
        create: yes
        state: present
        line: 'deb https://repos.influxdata.com/ubuntu bionic stable'

    - name: Add apt signing key
      apt_key:
        url: https://repos.influxdata.com/influxdb.key
        state: present

    - name: Update apt packages
      apt:
        name: telegraf
        state: present
        update_cache: yes

    - name: Add telegraf config
      template:
        src: ./templates/telegraf.conf
        dest: /etc/telegraf/telegraf.conf
        follow: yes
      vars:
        telegraf_name: "{{inventory_hostname}}"
      notify:
        - restart_telegraf

  handlers:
    - name: restart_ssh
      service:
        name: ssh
        state: restarted

    - name: restart_telegraf
      service:
        name: telegraf
        state: restarted

    - name: restart_docker
      service:
        name: docker
        state: restarted

    - name: restart_fail2ban
      service:
        name: fail2ban
        state: restarted