--- - name: Common tools hosts: vpn-host remote_user: root gather_facts: false vars_files: - config.cfg tasks: - name: Wait for port 22 to become available local_action: "wait_for port=22 host={{ inventory_hostname }}" - name: Updating apt-get raw: apt-get update -qq - name: Install python2.7 for Ansible raw: apt-get install -qq -y python2.7 - name: Install Updates, Patches and Additional Security Software apt: upgrade=dist update_cache=yes - name: Gather Facts setup: - name: Check if reboot is required shell: > if [[ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]]; then echo "required"; else echo "no"; fi args: executable: /bin/bash register: reboot_required - name: Reboot shell: sleep 2 && shutdown -r now "Ansible updates triggered" async: 1 poll: 0 when: reboot_required is defined and reboot_required.stdout == 'required' ignore_errors: true - name: Wait for shutdown local_action: wait_for host={{ inventory_hostname }} port=22 state=stopped timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' - name: Wait until SSH becomes ready... local_action: wait_for host={{ inventory_hostname }} port=22 state=started timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' # SSH fixes - name: SSH config lineinfile: dest="{{ item.file }}" regexp="{{ item.regexp }}" line="{{ item.line }}" state=present with_items: - { regexp: '^PasswordAuthentication.*', line: 'PasswordAuthentication no', file: '/etc/ssh/sshd_config' } - { regexp: '^PermitRootLogin.*', line: 'PermitRootLogin without-password', file: '/etc/ssh/sshd_config' } - { regexp: '^UseDNS.*', line: 'UseDNS no', file: '/etc/ssh/sshd_config' } - { regexp: '^Ciphers', line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com', file: '/etc/ssh/sshd_config' } - { regexp: '^MACs', line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256', file: '/etc/ssh/sshd_config' } - { regexp: '^KexAlgorithms', line: 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1', file: '/etc/ssh/sshd_config' } notify: - restart ssh - name: PAM config replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" with_items: - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' } - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' } - name: Install tools apt: name="{{ item }}" state=latest with_items: - git - screen - apparmor-utils - uuid-runtime - coreutils - auditd - rsyslog - sendmail - unattended-upgrades - privoxy - iptables-persistent - name: Unattended-upgrades configured template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=644 - name: Periodic upgrades configured template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=644 - hosts: 127.0.0.1 gather_facts: false vars_files: - config.cfg tasks: - debug: msg: - "#----------------------------------------------------------------------#" - "# Congratulations! #" - "# Your IPsec server is running. #" - "# Config files and X.509 certificates in the directory: ./configs/ #" - "# After connect go to https://www.dnsleaktest.com/ #" - "# and ensure that all your traffic passes through the VPN. #" - "#----------------------------------------------------------------------#" handlers: - name: restart auditd service: name=auditd state=restarted - name: restart rsyslog service: name=rsyslog state=restarted - name: restart ssh service: name=ssh state=restarted - name: flush routing cache shell: echo 1 > /proc/sys/net/ipv4/route/flush