commit 408f5a70382fcdd72630c00c8bfa7921ea2b517e Author: Simon Zernisch Date: Mon Mar 20 16:03:41 2023 +0100 first commit diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..e8583ed --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,5 @@ +[defaults] +remote_user = simon +inventory = hosts.ini +vault_password_file = ~/.ansible/vault_pass.txt +private_key_file=~/.ssh/ansible \ No newline at end of file diff --git a/host_vars/10.11.12.35 b/host_vars/10.11.12.35 new file mode 100644 index 0000000..58f94db --- /dev/null +++ b/host_vars/10.11.12.35 @@ -0,0 +1,2 @@ +hostname = "homeserver" +domain = "zernis.ch" diff --git a/hosts.yml b/hosts.yml new file mode 100644 index 0000000..d470039 --- /dev/null +++ b/hosts.yml @@ -0,0 +1,4 @@ +--- +all: + hosts: + 10.11.12.35: \ No newline at end of file diff --git a/main.yml b/main.yml new file mode 100644 index 0000000..f4cf72c --- /dev/null +++ b/main.yml @@ -0,0 +1,6 @@ +--- +- name: Setup Debian / Ubuntu defaults + hosts: all + become: true + roles: + - defaults \ No newline at end of file diff --git a/roles/defaults/defaults/main.yml b/roles/defaults/defaults/main.yml new file mode 100644 index 0000000..3490d6d --- /dev/null +++ b/roles/defaults/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# postfix config +postfix_config_file: /etc/postfix/main.cf +postfix_service_state: started +postfix_service_enabled: true +postfix_inet_protocols: ipv4 +postfix_relayhost: "{{ relay['server'] }}" + +# default email address +email_reports: simon@zernis.ch + +# SASL Auth +smtp_sasl_enable: 'yes' +smtp_sasl_file: hash:/etc/postfix/relay_passwd +smtp_sasl_options: noanonymous \ No newline at end of file diff --git a/roles/defaults/handlers/main.yml b/roles/defaults/handlers/main.yml new file mode 100644 index 0000000..38ae314 --- /dev/null +++ b/roles/defaults/handlers/main.yml @@ -0,0 +1,23 @@ +--- +- name: Restart postfix + ansible.builtin.service: + name: postfix + state: restarted + +- name: New aliases + become: true + ansible.builtin.command: newaliases + +- name: Restart ssh + ansible.builtin.service: + name: ssh + state: restarted + +- name: Restart cron + ansible.builtin.service: + name: cron + state: restarted + +- name: Postmap relay_passwd + ansible.builtin.command: > + postmap "{{ smtp_sasl_file }}" \ No newline at end of file diff --git a/roles/defaults/tasks/main.yml b/roles/defaults/tasks/main.yml new file mode 100644 index 0000000..2d46f58 --- /dev/null +++ b/roles/defaults/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Update apt cache & install sudo + ansible.builtin.apt: + update_cache: true + cache_valid_time: 3600 + name: + - sudo + +- name: Add user "{{ user['name'] }}" + ansible.builtin.user: + name: "{{ user['name'] }}" + password: "{{ user['password'] }}" + shell: /bin/bash + groups: sudo + +- name: Configure SSH + ansible.builtin.import_tasks: ssh-config.yml + +- name: Install & Configure unattended upgrades + ansible.builtin.import_tasks: unattended-upgrades.yml + +- name: Install & Configure Postfix + ansible.builtin.import_tasks: postfix.yml \ No newline at end of file diff --git a/roles/defaults/tasks/postfix.yml b/roles/defaults/tasks/postfix.yml new file mode 100644 index 0000000..65a36cb --- /dev/null +++ b/roles/defaults/tasks/postfix.yml @@ -0,0 +1,66 @@ +--- +- name: Update /etc/hostname + become: true + ansible.builtin.hostname: + name: '{{ hostname }}' + +- name: Update /etc/hosts + become: true + ansible.builtin.lineinfile: + path: /etc/hosts + regexp: '^127.0.1.1' + line: '127.0.1.1 {{ hostname }}.{{ domain }} {{ hostname }}' + +- name: Update /etc/aliases | set email adress + become: true + ansible.builtin.lineinfile: + path: /etc/aliases + regexp: '^root:' + line: 'root: {{ email_reports }}' + notify: New aliases + +- name: Ensure postfix is installed + become: true + ansible.builtin.package: + name: postfix + state: present + +- name: Update Postfix configuration + become: true + ansible.builtin.lineinfile: + dest: "{{ postfix_config_file }}" + line: "{{ item.name }} = {{ item.value }}" + regexp: "^{{ item.name }} =" + mode: '0644' + with_items: + - name: inet_protocols + value: "{{ postfix_inet_protocols }}" + - name: relayhost + value: "{{ postfix_relayhost }}" + - name: myhostname + value: "{{ hostname }}.{{ domain }}" + - name: smtp_sasl_auth_enable + value: "{{ smtp_sasl_enable }}" + - name: smtp_sasl_password_maps + value: "{{ smtp_sasl_file }}" + - name: smtp_sasl_security_options + value: "{{ smtp_sasl_options }}" + +- name: Copy relay_passwd + ansible.builtin.template: + src: "../templates/relay_passwd.j2" + dest: /etc/postfix/relay_passwd + owner: root + group: root + mode: '0644' + + notify: + - Postmap relay_passwd + - Restart postfix + +- name: Ensure postfix is started and enabled at boot + become: true + ansible.builtin.service: + name: postfix + state: "{{ postfix_service_state }}" + enabled: "{{ postfix_service_enabled }}" \ No newline at end of file diff --git a/roles/defaults/tasks/ssh-config.yml b/roles/defaults/tasks/ssh-config.yml new file mode 100644 index 0000000..7999c09 --- /dev/null +++ b/roles/defaults/tasks/ssh-config.yml @@ -0,0 +1,23 @@ +--- +- name: Add Authorized Keys + ansible.posix.authorized_key: + user: "{{ user['name'] }}" + state: present + key: "{{ lookup('file', 'simon_win11.pub') }}" + +- name: Harden SSH Config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -T -f %s' + mode: '0644' + with_items: + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^Port" + line: "Port {{ ssh_port }}" + - regexp: "^PermitRootLogin" + line: "PermitRootLogin without-password" + notify: Restart ssh \ No newline at end of file diff --git a/roles/defaults/tasks/unattended-upgrades.yml b/roles/defaults/tasks/unattended-upgrades.yml new file mode 100644 index 0000000..d74b965 --- /dev/null +++ b/roles/defaults/tasks/unattended-upgrades.yml @@ -0,0 +1,18 @@ +--- +- name: Install unattended-upgrades + ansible.builtin.apt: + name: unattended-upgrades + state: present + when: ansible_os_family == 'Debian' + +- name: Configure unattended-upgrades + ansible.builtin.template: + src: "../templates/{{ item }}.j2" + dest: "/etc/apt/apt.conf.d/{{ item }}" + owner: root + group: root + mode: '0644' + with_items: + - 20auto-upgrades + - 50unattended-upgrades + when: ansible_os_family == 'Debian' \ No newline at end of file diff --git a/roles/defaults/templates/20auto-upgrades.j2 b/roles/defaults/templates/20auto-upgrades.j2 new file mode 100644 index 0000000..464cd5f --- /dev/null +++ b/roles/defaults/templates/20auto-upgrades.j2 @@ -0,0 +1,3 @@ +# File: /etc/apt/apt.conf.d/20auto-upgrades +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; \ No newline at end of file diff --git a/roles/defaults/templates/50unattended-upgrades.j2 b/roles/defaults/templates/50unattended-upgrades.j2 new file mode 100644 index 0000000..bc83976 --- /dev/null +++ b/roles/defaults/templates/50unattended-upgrades.j2 @@ -0,0 +1,16 @@ +# File: /etc/apt/apt.conf.d/50unattended-upgrades +Unattended-Upgrade::Automatic-Reboot "false"; + +Unattended-Upgrade::DevRelease "false"; + +Unattended-Upgrade::Allowed-Origins { + "${distro_id}:${distro_codename}"; + "${distro_id}:${distro_codename}-security"; + "${distro_id}ESM:${distro_codename}"; +// "${distro_id}:${distro_codename}-updates"; +// "${distro_id}:${distro_codename}-proposed"; +// "${distro_id}:${distro_codename}-backports"; +}; + +Unattended-Upgrade::Mail "root"; +Unattended-Upgrade::MailReport "on-change"; \ No newline at end of file diff --git a/roles/defaults/templates/relay_passwd.j2 b/roles/defaults/templates/relay_passwd.j2 new file mode 100644 index 0000000..70ff79a --- /dev/null +++ b/roles/defaults/templates/relay_passwd.j2 @@ -0,0 +1 @@ +{{ relay['server'] }}:{{ relay['port'] }} {{ relay['user'] }}:{{ relay['password'] }} \ No newline at end of file