algo/common.yml
2016-07-31 07:08:59 -04:00

117 lines
4.3 KiB
YAML

---
- name: Common tools
hosts: vpn-host
remote_user: root
gather_facts: false
vars_files:
- config.cfg
tasks:
- name: Wait for port 22 to become available
local_action: "wait_for port=22 host={{ inventory_hostname }}"
- name: Updating apt-get
raw: apt-get update -qq
- name: Install python2.7 for Ansible
raw: apt-get install -qq -y python2.7
- name: Gather Facts
setup:
- name: Install Updates, Patches and Additional Security Software
apt: upgrade=dist update_cache=yes
- name: Check if reboot is required
shell: >
if [[ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]]; then echo "required"; else echo "no"; fi
args:
executable: /bin/bash
register: reboot_required
- name: Reboot
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
when: reboot_required is defined and reboot_required.stdout == 'required'
ignore_errors: true
- name: Wait for shutdown
local_action: wait_for host={{ inventory_hostname }} port=22 state=stopped timeout=120
when: reboot_required is defined and reboot_required.stdout == 'required'
- name: Wait until SSH becomes ready...
local_action: wait_for host={{ inventory_hostname }} port=22 state=started timeout=120
when: reboot_required is defined and reboot_required.stdout == 'required'
# SSH fixes
- name: SSH config
lineinfile: dest="{{ item.file }}" regexp="{{ item.regexp }}" line="{{ item.line }}" state=present
with_items:
- { regexp: '^PasswordAuthentication.*', line: 'PasswordAuthentication no', file: '/etc/ssh/sshd_config' }
- { regexp: '^PermitRootLogin.*', line: 'PermitRootLogin without-password', file: '/etc/ssh/sshd_config' }
- { regexp: '^UseDNS.*', line: 'UseDNS no', file: '/etc/ssh/sshd_config' }
- { regexp: '^Ciphers', line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com', file: '/etc/ssh/sshd_config' }
- { regexp: '^MACs', line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256', file: '/etc/ssh/sshd_config' }
- { regexp: '^KexAlgorithms', line: 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1', file: '/etc/ssh/sshd_config' }
notify:
- restart ssh
- name: PAM config
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
with_items:
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
- name: Install tools
apt: name="{{ item }}" state=latest
with_items:
- git
- screen
- apparmor-utils
- uuid-runtime
- coreutils
- auditd
- rsyslog
- sendmail
- unattended-upgrades
- privoxy
- iptables-persistent
- name: Unattended-upgrades configured
template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=644
- name: Periodic upgrades configured
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=644
- hosts: 127.0.0.1
gather_facts: false
vars_files:
- config.cfg
tasks:
- debug:
msg:
- "#----------------------------------------------------------------------#"
- "# Congratulations! #"
- "# Your IPsec server is running. #"
- "# Config files and X.509 certificates in the directory: ./configs/ #"
- "# After connect go to https://www.dnsleaktest.com/ #"
- "# and ensure that all your traffic passes through the VPN. #"
- "#----------------------------------------------------------------------#"
handlers:
- name: restart auditd
service: name=auditd state=restarted
- name: restart rsyslog
service: name=rsyslog state=restarted
- name: restart ssh
service: name=ssh state=restarted
- name: flush routing cache
shell: echo 1 > /proc/sys/net/ipv4/route/flush