Files @ 941f4f372672
Branch filter:

Location: majic-ansible-roles/roles/common/tasks/main.yml

941f4f372672 2.6 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-12: Updated the common role to deploy ferm, and set-up a basic firewall for allowing incoming SSH and ICMP echo requsts (ping).
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
---

- name: Deploy pam-auth-update configuration file for enabling pam_umask
  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root
  notify: Update PAM configuration

- name: Set login UMASK
  lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'

- name: Set home directory mask
  lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'

- name: Install sudo
  apt: name=sudo state=present

- name: Install ssl-cert package
  apt: name=ssl-cert state=present

- name: Install common packages
  apt: name="{{ item }}" state="present"
  with_items: common_packages

- name: Set-up operating system groups
  group: name="{{ item.name }}" gid="{{ item.gid }}" state=present
  with_items: os_groups

- name: Set-up operating system user groups
  group: name="{{ item.name }}" gid="{{ item.uid }}" state=present
  with_items: os_users

- name: Set-up operating system users
  user: name="{{ item.name }}" uid="{{ item.uid }}" group="{{ item.name }}"
        groups="{{ item.additional_groups }}" append=yes shell=/bin/bash state=present
        password="{{ item.password }}"
  with_items: os_users

- name: Set-up authorised keys
  authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
  with_subelements:
    - os_users
    - authorized_keys

- name: Disable remote logins for root
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"
  notify:
    - Restart SSH

- name: Disable remote login authentication via password
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
  notify:
    - Restart SSH

- name: Deploy CA certificates
  copy: src="{{ item }}" dest="/etc/ssl/certs/{{ item | basename }}" mode=644 owner=root group=root
  with_items: ca_certificates
  notify:
    - Update CA certificate cache

- name: Install ferm (for firewall management)
  apt: name=ferm state=installed

- name: Configure ferm init script coniguration file
  copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644
  notify:
    - Restart ferm

- name: Create directory for storing ferm configuration files
  file: dest="/etc/ferm/conf.d/" mode=750 state=directory owner=root group=root

- name: Deploy main ferm configuration file
  copy: src=ferm.conf dest=/etc/ferm/ferm.conf
  notify:
    - Restart ferm

- name: Deploy ferm base rules
  template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf
            owner=root group=root mode=640
  notify:
    - Restart ferm

- name: Enable ferm service
  service: name=ferm state=started
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.