Functional base playbook

2021-02-12 22:13:37 +01:00 · 2021-02-12 22:13:37 +01:00 · 1d649fee18
commit 1d649fee18
25 changed files with 385 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+~/.vault_password
--- a/README.md
+++ b/README.md
@ -0,0 +1,42 @@
+### Install Ansible
+
+```
+pip install -r requirements.txt
+```
+
+### Ansible Vault
+
+To manage secrets, this repository use Ansible Vault.
+
+Create a secret
+
+```
+ansible-vault create inv/host_vars/new.chosto.me/secrets.yml
+```
+
+Edit a secret
+
+```
+ansible-vault edit inv/host_vars/new.chosto.me/secrets.yml
+```
+
+### Server
+
+All servers managed should have this base configuration in order to work :
+
+- a user `chosto`
+- SSH access allowed for this user
+- a root access (`sudo`) for user `chosto` with a password specified as `ansible_become_pass` in inventory
+
+*e.g.*
+
+```
+# adduser chosto
+# adduser chosto sudo
+```
+
+## Usage
+
+```
+ansible-playbook [-t tag1 tag2...] all.yml
+```
--- a/all.yml
+++ b/all.yml
@ -0,0 +1,18 @@
+---
+- hosts: all
+  become: yes
+  roles:
+    - role: base
+      tags: ["base"]
+    - role: cron
+      tags: ["cron"]
+    - role: ufw
+      tags: ["ufw"]
+    - role: fail2ban
+      tags: ["fail2ban"]
+
+- hosts: all
+  become: yes
+  roles:
+    - role: "node-exporter"
+      tags: ["node-exporter"]
--- a/ansible.cfg
+++ b/ansible.cfg
@ -0,0 +1,35 @@
+[defaults]
+
+# No cows because I am not a funny person
+nocows = 1
+force_color = True
+stdout_callback = unixy
+
+# Default inventory file, override with -i
+inventory = ./inv/static.yml
+
+# Where to load roles
+roles_path = ./roles
+
+# Smart facts gathering : https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-gathering
+gathering = smart
+
+# Local file with vault password
+vault_password_file = ~/.vault_password
+
+# Do not create .retry files
+retry_files_enabled = False
+
+# python interpreter auto-discovery
+interpreter_python = /usr/bin/python3
+
+# Fail on undefined variables
+error_on_undefined_vars = True
+
+[privilege_escalation]
+# Default sudo user
+become_user = root
+
+[ssh_connection]
+pipelining = True
+scp_if_ssh = True
--- a/inv/group_vars/all/vars.yml
+++ b/inv/group_vars/all/vars.yml
@ -0,0 +1,10 @@
+ihl_base_users:
+  - name: chosto
+    group: chosto
+    groups:
+      - sudo
+    ssh_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6fs07sdt9PbzzQ6IA2tkbPLqspaWXAMLzUK/LtXQBhN/+q4Bxz4I4eUyF7regsWgvOObjKoMilGfOXi2Q8ZZIXZ3DBqSMJpYkwVC0qqU3YJfVLhNa1NU5m+QYqhmREu8HIIFty4jZRTmkAxjy5Zv8af4l3q0VEWUxGV0MoDsJYroao5UcOPKo/Qv75ZIy7x4KWLcXMM1jYLczjF0E6XR99aOWex1XuAvW5bDS9wC+fAN/nMRS7A6Wsvt2tyth9lR40fM0IaUjG+TjQ2CCbmp7zFBpa0LQcCktksSXpfd4Vj6eczHz7N+l1V+inbAd99s84K7LKoTH0tXv02c42XSK52pVBUzyif2EO85dgHJ3NFmTcNdRJ1v5bSRu3vm0Gcq0kgWjYZq2TCHUYOkm5WWdJuDLIbPLydaSr8LGfv+QqL6RHJnKBt5CZ5Nrrei/ZPTjZCm/OgCrmbMQQeoSpE8ZBEMSlN5An5+ZuaR7BPfCNFoQK/mcbA2cqs6ZiNUQdoeb93DAbsQMqDtCnevDf7hbiy282rRMkRYX5Cj6vt3jpUKS7vwoDMIKWYAOKASPZ2IgvC6Buj8aE4p24qR3xbiTHF4iJyxdo2B/x1pwT+kRmCdmCK5XnlkrQfrwP1Kkaiz88XOxkqfsvpRWd1JUUcipYbO+7zTvVQZkLnKZ2AzciQ== quentinduchemin@tuta.io
+
+ihl_base_ssh_users:
+  - chosto
--- a/inv/host_vars/new.chosto.me/secrets.yml
+++ b/inv/host_vars/new.chosto.me/secrets.yml
@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+33343337653333343366613634323137303835383230363964333832666562633230656233636530
+3462643333626535363437656337363239653533633830320a633762323565393235616431626361
+65313861666266313336626537383636666566383634363234613532373631343061323837633636
+3762333033636462330a323362323034336365326432373030626634396265343365393162326538
+33663862303831646239383735353766616464386532346665316664376434666363633034396363
+3763316133353034653439316538383563353739323132626164
--- a/inv/host_vars/new.chosto.me/vars.yml
+++ b/inv/host_vars/new.chosto.me/vars.yml
@ -0,0 +1,10 @@
+firewall_in_ports:
+  - "80"
+  - "443"
+  - "{{ ssh_port }}"
+
+hostname: chosto
+
+ssh_port: "2220"
+
+prometheus_server_ip: "51.178.182.35"
--- a/inv/static.yml
+++ b/inv/static.yml
@ -0,0 +1,6 @@
+all:
+  hosts:
+    new.chosto.me:
+      ansible_port: 2220
+      ansible_user: chosto
+      ansible_ssh_private_key_file: ~/.ssh/scaleway
--- a/requirements.txt
+++ b/requirements.txt
@ -0,0 +1 @@
+ansible==2.9.6
--- a/roles/base/defaults/main.yml
+++ b/roles/base/defaults/main.yml
@ -0,0 +1,6 @@
+ihl_base_apt_packages_addons:
+ihl_base_apt_cache_time: 3600
+
+ihl_base_additional_groups: []
+ihl_base_users: []
+ihl_base_ssh_users: []
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@ -0,0 +1,4 @@
+- name: Restarts sshd
+  service:
+    name: ssh
+    state: restarted
--- a/roles/base/tasks/apt.yml
+++ b/roles/base/tasks/apt.yml
@ -0,0 +1,15 @@
+- name: Update apt cache
+  apt:
+    update_cache: yes
+    cache_valid_time: "{{ ihl_base_apt_cache_time }}"
+  tags: ["update-apt-cache"]
+
+- name: Install base packages
+  apt:
+    name: "{{ ihl_base_apt_packages }}"
+    state: present
+
+- name: Install additional packages
+  apt:
+    name: "{{ ihl_base_apt_packages_addons }}"
+    state: present
--- a/roles/base/tasks/hostname.yml
+++ b/roles/base/tasks/hostname.yml
@ -0,0 +1,11 @@
+---
+- name: Set hostname
+  hostname:
+    name: "{{ hostname }}"
+
+- name: Add myself to /etc/hosts
+  lineinfile:
+    dest: /etc/hosts
+    regexp: '^127\.0\.0\.1[ \t]+localhost'
+    line: '127.0.0.1 localhost {{ hostname }}'
+    state: present
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -0,0 +1,15 @@
+- include: apt.yml
+  tags:
+    - apt
+
+- include: users.yml
+  tags:
+    - users
+
+- include: hostname.yml
+  tags:
+    - hostname
+
+- include: ssh.yml
+  tags:
+    - ssh
--- a/roles/base/tasks/ssh.yml
+++ b/roles/base/tasks/ssh.yml
@ -0,0 +1,17 @@
+- name: Deploys sshd config
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Restarts sshd
+
+- name: Configure authorized SSH keys
+  authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ item.ssh_keys | default([]) | join('\n') }}"
+    state: present
+    exclusive: True
+  loop: "{{ ihl_base_users }}"
--- a/roles/base/tasks/users.yml
+++ b/roles/base/tasks/users.yml
@ -0,0 +1,32 @@
+- name: Creates primary groups
+  group:
+    name: "{{ item.group | default(item.name) }}"
+    state: present
+  loop: "{{ ihl_base_users }}"
+
+- name: Creates additional groups
+  group:
+    name: "{{ item.name }}"
+    gid: "{{ item.gid | default(omit) }}"
+    state: present
+  loop: "{{ ihl_base_additional_groups }}"
+
+- name: Creates users
+  user:
+    name: "{{ item.name }}"
+    uid: "{{ item.uid | default(omit) }}"
+    group: "{{ item.group | default(item.name) }}"
+    groups: "{{ item.groups | default([]) | union([item.group | default(item.name)]) | unique }}"
+    home: "{{ item.home | default('/home/' ~ item.name ) }}"
+    shell: /bin/bash
+    password: "{{ item.password | default(omit) }}"
+    update_password: on_create
+    system: "{{ item.system | default(omit) }}"
+    append: "{{ user.append | default('yes') }}"
+  loop: "{{ ihl_base_users }}"
+
+- name: Remove "debian" user
+  user:
+    name: debian
+    state: absent
+    remove: yes
--- a/roles/base/templates/sshd_config.j2
+++ b/roles/base/templates/sshd_config.j2
@ -0,0 +1,56 @@
+Port {{ ssh_port }}
+
+# Necessary so X11 still works without IPv6
+AddressFamily inet
+
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication
+LoginGraceTime 2m
+PermitRootLogin prohibit-password
+StrictModes yes
+PubkeyAuthentication yes
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# similar for protocol version 2
+HostbasedAuthentication no
+
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+
+# Disable several features
+KerberosAuthentication no
+GSSAPIAuthentication no
+UseDNS no
+X11Forwarding no
+
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp	/usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+AllowUsers {{ ihl_base_ssh_users | join(' ') }}
--- a/roles/base/vars/main.yml
+++ b/roles/base/vars/main.yml
@ -0,0 +1,16 @@
+ihl_base_apt_packages:
+  - apt-transport-https
+  - ca-certificates
+  - curl
+  - dnsutils
+  - git
+  - htop
+  - jq
+  - less
+  - lm-sensors
+  - python3
+  - python3-pip
+  - python3-setuptools
+  - smartmontools
+  - sudo
+  - nano
--- a/roles/cron/handlers/main.yml
+++ b/roles/cron/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted
--- a/roles/cron/tasks/main.yml
+++ b/roles/cron/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- name: Enable logging for cron
+  lineinfile:
+    path: /etc/rsyslog.conf
+    regexp: "^cron.* /var/log/cron.log"
+    insertafter: "^#cron.*"
+    line: "cron.* /var/log/cron.log"
+  notify: Restart rsyslog
--- a/roles/fail2ban/handlers/main.yml
+++ b/roles/fail2ban/handlers/main.yml
@ -0,0 +1,4 @@
+- name: Restarts fail2ban
+  service:
+    name: fail2ban
+    state: restarted
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@ -0,0 +1,21 @@
+---
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+    state: present
+
+- name: Enable fail2ban for SSH
+  template:
+    src: jail.local.j2
+    # jail.local overrides jail.conf but does not replace
+    # we can just put our little SSH conf (port and log file) inside
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restarts fail2ban
+
+- name: Enable fail2ban
+  service:
+    name: fail2ban
+    enabled: true
--- a/roles/fail2ban/templates/jail.local.j2
+++ b/roles/fail2ban/templates/jail.local.j2
@ -0,0 +1,5 @@
+[sshd]
+mode   = normal
+port    = {{ ssh_port }}
+logpath = {{ fail2ban_log_path | default('/var/log/fail2ban.log') }}
+backend = %(sshd_backend)s
--- a/roles/node-exporter/tasks/main.yml
+++ b/roles/node-exporter/tasks/main.yml
@ -0,0 +1,14 @@
+---
+- name: Prometheus node exporter
+  apt:
+    name:
+      - prometheus-node-exporter
+    state: present
+
+- name: Allow queries from prometheus server
+  ufw:
+    rule: allow
+    port: "9100"
+    direction: in
+    proto: tcp
+    from: "{{ prometheus_server_ip }}"
--- a/roles/ufw/tasks/main.yml
+++ b/roles/ufw/tasks/main.yml
@ -0,0 +1,26 @@
+---
+- name: Install ufw
+  apt:
+    name:
+      - ufw
+    state: present
+
+- name: Configure UFW rules
+  ufw:
+    rule: allow
+    port: "{{ item }}"
+    direction: in
+    proto: any
+  loop: "{{ firewall_in_ports }}"
+
+- name: Set firewall default in policy
+  ufw:
+    state: enabled
+    direction: incoming
+    policy: deny
+
+- name: Set firewall default out policy
+  ufw:
+    state: enabled
+    direction: outgoing
+    policy: allow