---

# Deprecation

# ===========

- name: Drop deprecated directories and files

  file:

    path: "{{ item }}"

    state: absent

  with_items:

    - "/etc/pip_check_requirements_upgrades-py3"

    - "/var/lib/pipreqcheck/virtualenv-py3"

    - "/etc/cron.d/check_pip_requirements-py3"

- name: Drop deprecated packages

  apt:

    name:

      - ntp

      - ntpdate

    state: absent

    purge: true

# Main implementation

# ===================

- name: Enable use of proxy for retrieving system packages via apt

  template:

    src: "apt_proxy.j2"

    dest: "/etc/apt/apt.conf.d/00proxy"

    owner: root

    group: root

    mode: 0644

  when: apt_proxy is defined

- name: Disable use of proxy for retrieving system packages via apt

  file:

    path: "/etc/apt/apt.conf.d/00proxy"

    state: absent

  when: apt_proxy is undefined

- name: Deploy pam-auth-update configuration file for enabling pam_umask

  copy:

    src: "pam_umask"

    dest: "/usr/share/pam-configs/umask"

    owner: root

    group: root

    mode: 0644

  register: pam_umask

  notify:

    - Update PAM configuration

- name: Update PAM configuration  # noqa 503

  # [503] Tasks that run when changed should likely be handlers

  #   In order to have consistent behaviour during the first and

  #   subsequent playbook runs, make sure the PAM configuration is

  #   updated immediatelly. This way any files created by commands etc

  #   should end-up with correct permissions straight away.

  command: "/usr/sbin/pam-auth-update --package"

  when: pam_umask.changed

- name: Set login UMASK

  lineinfile:

    dest: "/etc/login.defs"

    state: present

    backrefs: true

    regexp: '^UMASK(\s+)'

    line: 'UMASK\g<1>027'

- name: Set home directory mask

  lineinfile:

    dest: "/etc/adduser.conf"

    state: present

    backrefs: true

    regexp: '^\s*#?\s*DIR_MODE='

    line: 'DIR_MODE=0750'

- name: Deploy bash profile configuration for fancier prompts

  template:

    src: "bash_prompt.sh.j2"

    dest: "/etc/profile.d/bash_prompt.sh"

    owner: root

    group: root

    mode: 0644

- name: Deploy profile configuration that allows for user-specific profile.d files

  copy:

    src: "user_profile_d.sh"

    dest: "/etc/profile.d/z99-user_profile_d.sh"

    owner: root

    group: root

    mode: 0644

- name: Replace default and skeleton bashrc

  copy:

    src: "{{ item.key }}"

    dest: "{{ item.value }}"

    owner: root

    group: root

    mode: 0644

  with_dict:

    bashrc: "/etc/bash.bashrc"

    skel_bashrc: "/etc/skel/.bashrc"

- name: Calculate stock checksum for bashrc root account

  stat:

    path: "/root/.bashrc"

  register: root_bashrc_stat

- name: Replace stock bashrc for root account with skeleton one

  copy:

    src: "skel_bashrc"

    dest: "/root/.bashrc"

    owner: root

    group: root

    mode: 0640

  # Checksums: bookworm

  when: |

    root_bashrc_stat.stat.checksum == "1a422a148ad225aa5ba33f8dafd2b7cfcdbd701f"

- name: Install sudo

  apt:

    name: sudo

    state: present

- name: Install ssl-cert package

  apt:

    name: ssl-cert

    state: present

- name: Install common packages

  apt:

    name: "{{ common_packages }}"

    state: "present"

- name: Disable electric-indent-mode for Emacs by default for all users

  copy:

    src: "01disable-electric-indent-mode.el"

    dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el"

    owner: root

    group: root

    mode: 0644

  when: "['emacs24', 'emacs24-nox', 'emacs25', 'emacs25-nox', 'emacs', 'emacs-nox'] | intersect(common_packages) | length > 0"

- name: Set-up operating system groups

  group:

    name: "{{ item.name }}"

    gid: "{{ item.gid | default(omit) }}"

    state: present

  with_items: "{{ os_groups }}"

- name: Set-up operating system user groups

  group:

    name: "{{ item.name }}"

    gid: "{{ item.uid | default(omit) }}"

    state: present

  with_items: "{{ os_users }}"

- name: Set-up operating system users

  user:

    name: "{{ item.name }}"

    uid: "{{ item.uid | default(omit) }}"

    group: "{{ item.name }}"

    groups: "{{ ','.join(item.additional_groups | default([])) }}"

    append: true

    shell: /bin/bash

    state: present

    password: "{{ item.password | default('!') }}"

    update_password: on_create

  with_items: "{{ os_users }}"

- name: Set-up authorised keys

  authorized_key:

    user: "{{ item.0.name }}"

    key: "{{ item.1 }}"

  with_subelements:

    - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"

    - authorized_keys

- name: Disable remote logins for root

  lineinfile:

    dest: "/etc/ssh/sshd_config"

    state: present

    regexp: "^PermitRootLogin"

    line: "PermitRootLogin no"

  notify:

    - Restart SSH

- name: Disable remote login authentication via password

  lineinfile:

    dest: "/etc/ssh/sshd_config"

    state: present

    regexp: "^PasswordAuthentication"

    line: "PasswordAuthentication no"

  notify:

    - Restart SSH

- name: Deploy CA certificates

  copy:

    content: "{{ item.value }}"

    dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt"

    owner: root

    group: root

    mode: 0644

  with_dict: "{{ ca_certificates }}"

  register: deploy_ca_certificates_result

- name: Update CA certificate cache  # noqa 503

  # [503] Tasks that run when changed should likely be handlers

  #   CA certificate cache must be updated immediatelly in order for

  #   applications depending on deployed CA certificates can use them to

  #   validate server/client certificates.

  command: "/usr/sbin/update-ca-certificates --fresh"

  when: deploy_ca_certificates_result.changed

- name: Set-up file diversions for custom files that overrride package-provided ones

  command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'"

  register: "dpkg_divert"

  changed_when: "'Adding' in dpkg_divert.stdout"

  with_items:

    - "/usr/sbin/ferm"

  notify:

    - Restart ferm

- name: Deploy the patched ferm binary that disables use of legacy iptables

  copy:

    src: ferm_binary

    dest: /usr/sbin/ferm

    owner: root

    group: root

    mode: 0755

  notify:

    - Restart ferm

- name: Install ferm (for firewall management)

  apt:

    name: ferm

    state: present

- name: Configure ferm init script coniguration file

  copy:

    src: "ferm_default"

    dest: "/etc/default/ferm"

    owner: root

    group: root

    mode: 0644

  notify:

    - Restart ferm

- name: Create directory for storing ferm configuration files

  file:

    dest: "/etc/ferm/conf.d/"

    state: directory

    owner: root

    group: root

    mode: 0750

- name: Deploy main ferm configuration file

  copy:

    src: "ferm.conf"

    dest: "/etc/ferm/ferm.conf"

    owner: root

    group: root

    mode: 0640

  notify:

    - Restart ferm

- name: Verify maintenance_allowed_sources parameter

  fail:

    msg: "Items in maintenance_allowed_sources must IPv4/IPv6 addresses or subnets: {{ item }}"

  with_items: "{{ maintenance_allowed_sources }}"

- name: Deploy ferm base rules

  template:

    src: "00-base.conf.j2"

    dest: "/etc/ferm/conf.d/00-base.conf"

    owner: root

    group: root

    mode: 0640

  notify:

    - Restart ferm

- name: Enable and start ferm

  service:

    name: ferm

    state: started

    enabled: true

- name: Deploy script for flushing legacy iptables rules

  copy:

    src: "legacy_iptables_rules.sh"

    dest: "/usr/local/sbin/drop_legacy_iptables_rules.sh"

    owner: root

    group: root

    mode: 0755

- name: Drop legacy iptables rules

  command: "/usr/local/sbin/drop_legacy_iptables_rules.sh remove"

  register: legacy_iptables_rules

  changed_when: "'Removed legacy iptables for families' in legacy_iptables_rules.stdout"

  notify:

    - Restart ferm

- name: Deploy script for validating server certificates

  copy:

    src: "check_certificate.sh"

    dest: "/usr/local/bin/check_certificate.sh"

    owner: root

    group: root

    mode: 0755

- name: Set-up directory for holding configuration for certificate validation script

  file:

    path: "/etc/check_certificate"

    state: "directory"

    owner: root

    group: root

    mode: 0755

- name: Deploy crontab entry for checking certificates

  cron:

    name: "check_certificate"

    cron_file: "check_certificate"

    hour: "0"

    minute: "0"

    job: "/usr/local/bin/check_certificate.sh -q expiration"

    state: present

    user: nobody

- name: Install apticron (for checking available upgrades)

  apt:

    name: apticron

    state: present

# It would be too much hassle to detect changed state, so just ignore it.

- name: Preventively run apticron to avoid issues with locking

  command: /usr/sbin/apticron --cron

  changed_when: false

# Implementation for checking pip requirements files via via pip-tools.

- name: Install packages required for running pip requirements checks

  apt:

    name:

      - python3-setuptools

      - virtualenv

    state: present

- name: Create dedicated group for user running pip requirements checks

  group:

    name: "pipreqcheck"

    gid: "{{ pipreqcheck_gid | default(omit) }}"

    state: present

- name: Create user for running pip requirements checks

  user:

    name: "pipreqcheck"

    uid: "{{ pipreqcheck_uid | default(omit) }}"

    group: "pipreqcheck"

    home: "/var/lib/pipreqcheck"

    state: present

- name: Retrieve system Python interpreter version

  command:

    argv:

      - "/usr/bin/python3"

      - "-c"

      - "import sys; print(sys.version.split(' ')[0])"

  changed_when: false

  register: python_interpreter_version

- name: Retrieve virtual environment Python interpreter version (if initialised)

  command:

    argv:

      - "/var/lib/pipreqcheck/virtualenv/bin/python"

      - "-c"

      - "import sys; print(sys.version.split(' ')[0])"

  become: true

  become_user: "pipreqcheck"

  # Virtual environment perhaps does not exist.

  failed_when: false

  changed_when: false

  register: virtualenv_python_version

- name: Retrieve virtual environment prompt

  command:

    argv:

      - "bash"

      - "-c"

      - "source '/var/lib/pipreqcheck/virtualenv/bin/activate'; printenv PS1"

  become: true

  become_user: "pipreqcheck"

  failed_when: false

  changed_when: false

  register: current_virtualenv_prompt

- name: Remove virtual environment in case of mismatches

  file:

    path: "/var/lib/pipreqcheck/virtualenv"

    state: absent

  when: |

    virtualenv_python_version.rc != 0 or

    virtualenv_python_version.stdout.strip() != python_interpreter_version.stdout.strip() or

    current_virtualenv_prompt.stdout != "(pipreqcheck) "

- name: Create directory for Python virtual environment used for installing/running pip-tools

  file:

    path: "{{ item }}"

    state: directory

    owner: pipreqcheck

    group: pipreqcheck

    mode: 0750

  with_items:

    - "/var/lib/pipreqcheck"

    - "/var/lib/pipreqcheck/virtualenv"

- name: Create Python virtual environment used for installing/running pip-tools

  command: "/usr/bin/virtualenv --python '{{ item.python_path }}' --prompt '{{ item.virtualenv_prompt }}' '{{ item.virtualenv_path }}'"

  args:

    creates: "{{ item.creates }}"

  become: true

  become_user: "pipreqcheck"

  with_items:

    - name: pipreqcheck

      virtualenv_path: "/var/lib/pipreqcheck/virtualenv"

      virtualenv_prompt: "pipreqcheck"

      python_path: "/usr/bin/python3"

      creates: "/var/lib/pipreqcheck/virtualenv/bin/python3"

- name: Create directory for storing pip requirements files

  file:

    path: "{{ item }}"

    state: "directory"

    owner: root

    group: pipreqcheck

    mode: 0750

  with_items:

    - "/etc/pip_check_requirements_upgrades"

- name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself

  file:

    path: "{{ item }}"

    state: "directory"

    owner: root

    group: pipreqcheck

    mode: 0750

  with_items:

    - "/etc/pip_check_requirements_upgrades/pipreqcheck"

- name: Deploy .in file for pip requirements in pip-tools virtual environment

  template:

    src: "pipreqcheck_requirements.in.j2"

    dest: "{{ item.path }}"

    owner: root

    group: pipreqcheck

    mode: 0640

  with_items:

    - path: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in"

      requirements: "{{ pip_check_requirements_in }}"

- name: Deploy requirements file for pipreqcheck virtual environment

  template:

    src: "pipreqcheck_requirements.txt.j2"

    dest: "{{ item.file }}"

    owner: root

    group: pipreqcheck

    mode: 0640

  with_items:

    - file: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"

      requirements: "{{ pip_check_requirements }}"

- name: Install requirements in the pipreqcheck virtual environment

  pip:

    requirements: "{{ item.requirements }}"

    virtualenv: "{{ item.virtualenv }}"

  become: true

  become_user: pipreqcheck

  with_items:

    - virtualenv: "~pipreqcheck/virtualenv"

      requirements: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"

- name: Synchronise pip-tools virtual environment via deployed requirements file

  shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"

  args:

    executable: /bin/bash

  become: true

  become_user: "pipreqcheck"

  register: pipreqcheck_pip_sync

  changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'"

- name: Deploy script for checking available upgrades

  copy:

    src: "pip_check_requirements_upgrades.sh"

    dest: "/usr/local/bin/pip_check_requirements_upgrades.sh"

    owner: root

    group: root

    mode: 0755

- name: Deploy crontab entry for checking pip requirements

  copy:

    src: "cron_check_pip_requirements"

    dest: "/etc/cron.d/check_pip_requirements"

    owner: root

    group: root

    mode: 0644

- name: Install NTP packages

  apt:

    name:

      - ntpsec

      - ntpsec-ntpdate

    state: present

  when: ntp_pools | length > 0

- name: Remove NTP packages

  apt:

    name:

      - ntpsec

      - ntpsec-ntpdate

    state: absent

    purge: true

  when: ntp_pools | length == 0

- name: Deploy NTP configuration

  template:

    src: "ntp.conf.j2"

    dest: "/etc/ntpsec/ntp.conf"

    owner: root

    group: root

    mode: 0644

  when: ntp_pools | length > 0

  notify:

    - Restart NTP server

- name: Explicitly run all handlers

  include_tasks: ../handlers/main.yml

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

#jinja2:trim_blocks:True,lstrip_blocks:True

# IPv4

domain ip {

    table filter {

        chain INPUT {

            policy DROP;

            interface lo ACCEPT;

            # Make sure not to allow flooding via ICMP ping packages by sending them

            # to flood chain before state module kicks in.

            proto icmp icmp-type echo-request jump flood;

            mod state state (ESTABLISHED RELATED) ACCEPT;

            # For TCP packages we perform floods checks after state module took care

            # of established and related connections.

            proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;

            # Accept some common incoming connections.

            proto icmp icmp-type echo-request ACCEPT;

            proto tcp dport 22 ACCEPT;

{% if maintenance %}

            # Validate source IP against list of allowed source addresses in maintenance mode.

            jump allowed_sources;

{% endif %}

        }

        # The flood chain is used for controlling the rate of the incoming connections.

        chain flood {

            # Rate-limit the ping requests.

            proto icmp icmp-type echo-request {

                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                    hashlimit-mode srcip hashlimit-name icmp RETURN;

                DROP;

            }

            # Rate-limit the TCP connections.

            proto tcp tcp-flags (FIN SYN RST ACK) SYN {

                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                    hashlimit-mode srcip hashlimit-name icmp RETURN;

                LOG;

                DROP;

            }

        }

{% if maintenance %}

        # Resume processing for allowed source addresses, otherwise drop packets.

        chain allowed_sources {

            {% for source in maintenance_allowed_sources %}

            saddr {{ source }} RETURN;

                {% endif %}

            {% endfor %}

            DROP;

        }

{% endif %}

    }

}

# IPv6, same as IPv4 config, with addition of a couple of ICMP packets.

domain ip6 {

    table filter {

        chain INPUT {

            policy DROP;

            interface lo ACCEPT;

            # Make sure not to allow flooding via ICMP ping packages by sending them

            # to flood chain before state module kicks in.

            proto icmp icmp-type echo-request jump flood;

            mod state state (ESTABLISHED RELATED) ACCEPT;

            # For TCP packages we perform floods checks after state module took care

            # of established and related connections.

            proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;

            # ICMPv6 packets required for proper functioning of IPv6.

            proto icmp icmp-type router-advertisement ACCEPT;

            proto icmp icmp-type neighbor-solicitation ACCEPT;

            proto icmp icmp-type neighbor-advertisement ACCEPT;

            # Accept some common incoming connections.

            proto icmp icmp-type echo-request ACCEPT;

            proto tcp dport 22 ACCEPT;

{% if maintenance %}

            # Validate source IP against list of allowed source addresses in maintenance mode.

            jump allowed_sources;

{% endif %}

        }

        # The flood chain is used for controlling the rate of the incoming connections.

        chain flood {

            # Rate-limit the ping requests.

            proto icmp icmp-type echo-request {

                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                    hashlimit-mode srcip hashlimit-name icmp RETURN;

                DROP;

            }

            # Rate-limit the TCP connections.

            proto tcp tcp-flags (FIN SYN RST ACK) SYN {

                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                    hashlimit-mode srcip hashlimit-name icmp RETURN;

                LOG;

                DROP;

            }

        }

{% if maintenance %}

        # Resume processing for allowed source addresses, otherwise drop packets.

        chain allowed_sources {

            {% for source in maintenance_allowed_sources %}

            saddr {{ source }} RETURN;

                {% endif %}

            {% endfor %}

            DROP;

        }

{% endif %}

    }

}