first commit

ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+remote_user = simon
+inventory = hosts.ini
+vault_password_file = ~/.ansible/vault_pass.txt
+private_key_file=~/.ssh/ansible

host_vars/10.11.12.35

@@ -0,0 +1,2 @@
+hostname = "homeserver"
+domain = "zernis.ch"

hosts.yml

@@ -0,0 +1,4 @@
+---
+all:
+  hosts:
+    10.11.12.35:

main.yml

@@ -0,0 +1,6 @@
+---
+- name: Setup Debian / Ubuntu defaults
+  hosts: all
+  become: true
+  roles:
+    - defaults

roles/defaults/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+# postfix config
+postfix_config_file: /etc/postfix/main.cf
+postfix_service_state: started
+postfix_service_enabled: true
+postfix_inet_protocols: ipv4
+postfix_relayhost: "{{ relay['server'] }}"
+
+# default email address
+email_reports: simon@zernis.ch
+
+# SASL Auth
+smtp_sasl_enable: 'yes'
+smtp_sasl_file: hash:/etc/postfix/relay_passwd
+smtp_sasl_options: noanonymous

roles/defaults/handlers/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Restart postfix
+  ansible.builtin.service:
+    name: postfix
+    state: restarted
+
+- name: New aliases
+  become: true
+  ansible.builtin.command: newaliases
+
+- name: Restart ssh
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
+
+- name: Restart cron
+  ansible.builtin.service:
+    name: cron
+    state: restarted
+
+- name: Postmap relay_passwd
+  ansible.builtin.command: >
+    postmap "{{  smtp_sasl_file }}"

roles/defaults/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Update apt cache & install sudo
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+    name:
+      - sudo
+
+- name: Add user "{{ user['name'] }}"
+  ansible.builtin.user:
+    name: "{{ user['name'] }}"
+    password: "{{ user['password'] }}"
+    shell: /bin/bash
+    groups: sudo
+
+- name: Configure SSH
+  ansible.builtin.import_tasks: ssh-config.yml
+
+- name: Install & Configure unattended upgrades
+  ansible.builtin.import_tasks: unattended-upgrades.yml
+
+- name: Install & Configure Postfix
+  ansible.builtin.import_tasks: postfix.yml

roles/defaults/tasks/postfix.yml

@@ -0,0 +1,66 @@
+---
+- name: Update /etc/hostname
+  become: true
+  ansible.builtin.hostname:
+    name: '{{ hostname }}'
+
+- name: Update /etc/hosts
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    regexp: '^127.0.1.1'
+    line: '127.0.1.1 {{ hostname }}.{{ domain }} {{ hostname }}'
+
+- name: Update /etc/aliases | set email adress
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/aliases
+    regexp: '^root:'
+    line: 'root: {{ email_reports }}'
+  notify: New aliases
+
+- name: Ensure postfix is installed
+  become: true
+  ansible.builtin.package:
+    name: postfix
+    state: present
+
+- name: Update Postfix configuration
+  become: true
+  ansible.builtin.lineinfile:
+    dest: "{{ postfix_config_file }}"
+    line: "{{ item.name }} = {{ item.value }}"
+    regexp: "^{{ item.name }} ="
+    mode: '0644'
+  with_items:
+    - name: inet_protocols
+      value: "{{ postfix_inet_protocols }}"
+    - name: relayhost
+      value: "{{ postfix_relayhost }}"
+    - name: myhostname
+      value: "{{ hostname }}.{{ domain }}"
+    - name: smtp_sasl_auth_enable
+      value: "{{ smtp_sasl_enable }}"
+    - name: smtp_sasl_password_maps
+      value: "{{ smtp_sasl_file }}"
+    - name: smtp_sasl_security_options
+      value: "{{ smtp_sasl_options }}"
+
+- name: Copy relay_passwd
+  ansible.builtin.template:
+    src: "../templates/relay_passwd.j2"
+    dest: /etc/postfix/relay_passwd
+    owner: root
+    group: root
+    mode: '0644'
+
+  notify:
+    - Postmap relay_passwd
+    - Restart postfix
+
+- name: Ensure postfix is started and enabled at boot
+  become: true
+  ansible.builtin.service:
+    name: postfix
+    state: "{{ postfix_service_state }}"
+    enabled: "{{ postfix_service_enabled }}"

roles/defaults/tasks/ssh-config.yml

@@ -0,0 +1,23 @@
+---
+- name: Add Authorized Keys
+  ansible.posix.authorized_key:
+    user: "{{ user['name'] }}"
+    state: present
+    key: "{{ lookup('file', 'simon_win11.pub') }}"
+
+- name: Harden SSH Config
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+    validate: 'sshd -T -f %s'
+    mode: '0644'
+  with_items:
+    - regexp: "^PasswordAuthentication"
+      line: "PasswordAuthentication no"
+    - regexp: "^Port"
+      line: "Port {{ ssh_port }}"
+    - regexp: "^PermitRootLogin"
+      line: "PermitRootLogin without-password"
+  notify: Restart ssh

roles/defaults/tasks/unattended-upgrades.yml

@@ -0,0 +1,18 @@
+---
+- name: Install unattended-upgrades
+  ansible.builtin.apt:
+    name: unattended-upgrades
+    state: present
+  when: ansible_os_family == 'Debian'
+
+- name: Configure unattended-upgrades
+  ansible.builtin.template:
+    src: "../templates/{{ item }}.j2"
+    dest: "/etc/apt/apt.conf.d/{{ item }}"
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - 20auto-upgrades
+    - 50unattended-upgrades
+  when: ansible_os_family == 'Debian'

roles/defaults/templates/20auto-upgrades.j2

@@ -0,0 +1,3 @@
+# File: /etc/apt/apt.conf.d/20auto-upgrades
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";

roles/defaults/templates/50unattended-upgrades.j2

@@ -0,0 +1,16 @@
+# File: /etc/apt/apt.conf.d/50unattended-upgrades
+Unattended-Upgrade::Automatic-Reboot "false";
+
+Unattended-Upgrade::DevRelease "false";
+
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+        "${distro_id}:${distro_codename}-security";
+        "${distro_id}ESM:${distro_codename}";
+//      "${distro_id}:${distro_codename}-updates";
+//      "${distro_id}:${distro_codename}-proposed";
+//      "${distro_id}:${distro_codename}-backports";
+};
+
+Unattended-Upgrade::Mail "root";
+Unattended-Upgrade::MailReport "on-change";

roles/defaults/templates/relay_passwd.j2

@@ -0,0 +1 @@
+{{ relay['server'] }}:{{ relay['port'] }} {{ relay['user'] }}:{{ relay['password'] }}