Initial commit

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-17 00:35:57 +03:00
commit 60b8ecdd4c
36 changed files with 1450 additions and 0 deletions
--- a/roles/common/tasks/iptables_Debian.yml
+++ b/roles/common/tasks/iptables_Debian.yml
@ -0,0 +1,10 @@
+---
+- name: Install iptables-persistent
+  apt: pkg=iptables-persistent update_cache=yes
+  tags: firewall
+
+- name: Copy /etc/iptables/rules.v4
+  template: src=iptables.j2 dest=/etc/iptables/rules.v4 owner=root mode=0600
+  notify:
+    - restart iptables-persistent
+  tags: firewall
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -0,0 +1,38 @@
+---
+# not needed on OpenStack images...
+#- name: Set hostname
+#  hostname: name={{ inventory_hostname }}
+#  tags: hostname
+#
+#- name: Add hostname to /etc/hosts
+#  lineinfile: dest=/etc/hosts insertafter=^127.0.0.1 line='127.0.1.1       {{ inventory_hostname }}'
+#  tags: hostname
+
+- include: packages_Ubuntu.yml
+  when: "ansible_distribution == 'Ubuntu'"
+  tags: packages
+
+- include: iptables_Debian.yml
+  when: ansible_os_family == 'Debian'
+
+- name: Reconfigure /etc/ssh/sshd_config
+  template: src=sshd_config_{{ansible_distribution}}-{{ansible_distribution_version}}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
+  notify:
+  - restart sshd
+  tags: sshd
+
+- name: Reconfigure /etc/sysctl.conf
+  template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
+  notify:
+  - reload sysctl
+  tags: sysctl
+
+- name: Reconfigure /etc/rc.local
+  when: "ansible_distribution == 'CentOS'"
+  template: src=rc.local_{{ ansible_distribution }}.j2 dest=/etc/rc.d/rc.local owner=root group=root mode=0755
+
+- name: Reconfigure /etc/rc.local
+  when: "ansible_distribution == 'Debian'"
+  template: src=rc.local_{{ ansible_distribution }}.j2 dest=/etc/rc.local owner=root group=root mode=0755
+
+# vim: set sw=2 ts=2:
--- a/roles/common/tasks/packages_Ubuntu.yml
+++ b/roles/common/tasks/packages_Ubuntu.yml
@ -0,0 +1,50 @@
+---
+- name: Configure apt mirror
+  template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
+
+- name: Add GPG key for Extras repo
+  apt_key: id=0x3E5C1192 url=http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x16126D3A3E5C1192 state=present
+
+- name: Upgrade base OS
+  apt: upgrade=dist update_cache=yes
+
+- name: Install base packages
+  apt: pkg={{ item }}
+  with_items:
+    - ntp
+    - git
+    - tmux
+    - iotop
+    - htop
+    - strace
+    - s3cmd
+    - cron-apt
+    - safe-rm
+    - debian-goodies
+    - mosh
+    - python-pycurl # for ansible's apt_repository
+    - sysv-rc-conf
+    - lzop
+    - vim
+
+- name: Security hardening (CIS Benchmark 1.0)
+  apt: pkg={{ item }} state=absent purge=yes
+  with_items:
+    - whoopsie # CIS 4.1
+    - apport   # CIS 4.1
+
+- name: Remove annoying packages
+  apt: pkg={{ item }} state=absent purge=yes
+  with_items:
+    - command-not-found
+    - command-not-found-data
+    - python3-commandnotfound
+
+- name: Configure cron-apt (config)
+  copy: src=cron-apt/config dest=/etc/cron-apt/config mode=0644 owner=root group=root
+
+- name: Configure cron-apt (config)
+  copy: src=cron-apt/3-download dest=/etc/cron-apt/action.d/3-download mode=0644 owner=root group=root
+
+- name: Configure cron-apt (security)
+  copy: src=cron-apt/security.sources.list dest=/etc/apt/security.sources.list mode=0644 owner=root group=root