Update common role

- Add secure-secure-shell task
- Add unattended-upgrades task
- Change package installation tasks
- Remove website tasks from generic services group
This commit is contained in:
Alexander Dietrich 2017-02-05 13:45:33 +01:00
parent db911b40c1
commit 17468493cc
12 changed files with 242 additions and 22 deletions

View file

@ -0,0 +1,24 @@
---
common_expected_packages:
- curl
- git
- python-virtualenv
- python3-virtualenv
- wget
ssh_match_blocks: []
unattended_upgrades_mail: false
unattended_upgrades_origins:
- o=${distro_id},n=${distro_codename},l=Debian-Security
- o=${distro_id},n=${distro_codename}-updates
- o=${distro_id},n=${distro_codename}-backports
unattended_upgrades_reboot: "false"
unattended_upgrades_reboot_time: "07:00"
user_sanity_packages:
- htop
- less
- mosh
- nano
- screen
- tree
- vim
- zsh

View file

@ -0,0 +1,5 @@
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

View file

@ -0,0 +1,8 @@
---
- name: upgrade packages
apt:
upgrade: full
update_cache: yes
- name: clean package cache
command: apt-get clean

View file

@ -1,19 +1,11 @@
---
- name: run apt-get update
apt: update_cache=yes
tags:
- common
- name: install common packages
apt: name={{ item }} state=latest
with_items:
- aptitude
- curl
- git
- mosh
- nano
- python
- wget
- zsh
tags:
- common
- include: pre-tasks.yml
tags: common
- include: secure-secure-shell.yml
tags: common
- include: unattended-upgrades.yml
tags: common
- include: user-sanity.yml
tags: common
- include: post-tasks.yml
tags: common

View file

@ -0,0 +1,6 @@
---
- name: install expected packages
apt:
name: "{{ item }}"
state: present
with_items: "{{ common_expected_packages }}"

View file

@ -0,0 +1,8 @@
---
- name: install requirements for some Ansible operations
apt:
name: "{{ item }}"
state: present
with_items:
- aptitude
- python-apt

View file

@ -0,0 +1,28 @@
# Secure SSH Configuration
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
---
- name: check for ED25519 host key
stat: path=/etc/ssh/ssh_host_ed25519_key
register: f
- fail: msg="No ED25519 host key found"
when: not f.stat.exists
- name: check for RSA host key
stat: path=/etc/ssh/ssh_host_rsa_key
register: f
- fail: msg="No RSA host key found"
when: not f.stat.exists
- name: template sshd_config
template:
src: templates/sshd_config.j2
dest: /etc/ssh/sshd_config
backup: yes
register: sshd_config
# reload sshd now in case the handlers don't run
- name: reload sshd
service:
name: ssh
state: reloaded
when: sshd_config.changed

View file

@ -0,0 +1,18 @@
---
- name: install unattended-upgrades
apt:
name: unattended-upgrades
state: present
- name: copy 10periodic
copy:
src: files/10periodic
dest: /etc/apt/apt.conf.d
- name: template 50unattended-upgrades
template:
src: templates/50unattended-upgrades.j2
dest: /etc/apt/apt.conf.d/50unattended-upgrades
notify:
- upgrade packages
- clean package cache

View file

@ -0,0 +1,25 @@
---
- name: purge vim-tiny
apt:
name: vim-tiny
state: absent
purge: yes
- name: install user sanity packages
apt:
name: "{{ item }}"
state: present
with_items: "{{ user_sanity_packages }}"
- name: check for /etc/screenrc
stat: path=/etc/screenrc
register: f
- name: disable screen startup message
lineinfile:
dest: /etc/screenrc
regexp: '^#(startup_message off)$'
line: '\1'
backrefs: yes
backup: yes
when: f.stat.exists

View file

@ -0,0 +1,84 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted. The accepted keywords are:
// a,archive,suite (eg, "stable")
// c,component (eg, "main", "crontrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
// site (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
{% for origin in unattended_upgrades_origins %}
"{{ origin }}";
{% endfor %}
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
{% if unattended_upgrades_mail %}
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "{{ unattended_upgrades_mail }}";
{% endif %}
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_reboot }}";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_reboot_time }}";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Do not cause conffile prompts
Dpkg::Options { --force-confold; };

View file

@ -0,0 +1,26 @@
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
ChallengeResponseAuthentication no
HostbasedAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes
IgnoreUserKnownHosts yes
PermitRootLogin no
PrintMotd no
StrictModes yes
Subsystem sftp internal-sftp
UsePAM yes
{% for block in ssh_match_blocks %}
Match {{ block.match }}
{% for option in block.options %}
{{ option }}
{% endfor %}
{% endfor %}

View file

@ -2,7 +2,3 @@
- hosts: services
roles:
- ntp-server
- website/ffnord
- website/media
- website/meta