Last active
October 12, 2017 18:51
-
-
Save ianling/d442c1c9d4140650d590 to your computer and use it in GitHub Desktop.
Used after backup_user_setup.yml to push basic config changes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Roll out basic config changes to a new server | |
| hosts: all | |
| remote_user: backup | |
| become: yes | |
| tasks: | |
| - name: Disable root login in sshd_config | |
| lineinfile: "dest=/etc/ssh/sshd_config | |
| regexp='^PermitRootLogin ' | |
| line='PermitRootLogin no' | |
| state=present | |
| insertafter=EOF" | |
| - name: Copy over resolv.conf | |
| template: src=/etc/resolv.conf dest=/etc/resolv.conf owner=root group=root mode=0744 | |
| # Install basic packages # | |
| - name: Install python | |
| apt: name=python update_cache=yes | |
| # ^ note that this is the only one with update_cache | |
| - name: Install bash-completion | |
| apt: name=bash-completion | |
| - name: Install git | |
| apt: name=git | |
| - name: Install etckeeper | |
| apt: name=etckeeper | |
| # Make etckeeper commit whenever apt installs something # | |
| - name: Copy over 99git-gc | |
| template: src=/etc/etckeeper/post-install.d/99git-gc dest=/etc/etckeeper/post-install.d/99git-gc owner=root group=root mode=0744 | |
| # SET UP exim4 # | |
| - name: Install exim4 | |
| apt: name=exim4 | |
| - name: Copy over exim4 config | |
| template: src=/etc/exim4/update-exim4.conf.conf dest=/etc/exim4/update-exim4.conf.conf owner=root group=root mode=0744 | |
| - name: Apply exim4 config | |
| command: /usr/sbin/update-exim4.conf | |
| - name: Set root email alias to sysadmin address | |
| lineinfile: "dest=/etc/aliases | |
| regexp='^root:' | |
| line='root: [email protected]' | |
| state=present" | |
| - name: Update aliases.db | |
| command: /usr/bin/newaliases | |
| - name: Generate a /etc/mailname file for each host | |
| local_action: command /usr/local/bin/generate_mailname.sh {{ inventory_hostname }} | |
| - name: Copy /etc/mailname file to host | |
| copy: src=/tmp/mailname_{{ inventory_hostname }} | |
| dest=/etc/mailname | |
| owner=root | |
| mode=0644 | |
| - name: Set exim to accept mail destined for the host's hostname and FQDN | |
| lineinfile: state=present | |
| path=/etc/exim4/update-exim4.conf.conf | |
| regexp=^dc_other_hostnames=.*$ | |
| line=dc_other_hostnames='{{ inventory_hostname }}.freewirebroadband.com; {{ inventory_hostname }}$ | |
| - name: Restart exim4 | |
| service: name=exim4 state=restarted | |
| - name: Delete local mailname file for host | |
| local_action: file path=/tmp/mailname_{{ inventory_hostname }} state=absent | |
| # SET UP ntp # | |
| - name: Install ntp | |
| apt: name=ntp | |
| - name: Copy over ntp.conf | |
| template: src=/etc/ntp.conf dest=/etc/ntp.conf owner=root group=root mode=0744 | |
| - name: Restart ntp service | |
| service: name=ntp state=restarted | |
| - name: Sync clock | |
| command: /usr/bin/ntpq -p | |
| # Set up login banners # | |
| - name: Enable banner in sshd_config | |
| lineinfile: "dest=/etc/ssh/sshd_config | |
| regexp='^Banner ' | |
| line='Banner /etc/issue.net' | |
| state=present | |
| insertbefore=BOF" | |
| - name: Copy over /etc/issue | |
| template: src=/etc/issue dest=/etc/issue owner=root group=root mode=0744 | |
| - name: Copy over /etc/issue.net | |
| template: src=/etc/issue.net dest=/etc/issue.net owner=root group=root mode=0744 | |
| # Set up snmpd # | |
| - name: Install snmpd | |
| apt: name=snmpd | |
| # make sure local permissions will allow us to copy file | |
| - name: Set local permissions on snmpd.conf | |
| local_action: file path=/etc/snmp/snmpd.conf mode=0755 | |
| - name: Copy over snmpd.conf | |
| template: src=/etc/snmp/snmpd.conf dest=/etc/snmp/snmpd.conf owner=root group=root mode=0740 | |
| - name: Copy over /etc/default/snmpd | |
| template: src=/etc/default/snmpd dest=/etc/default/snmpd owner=root group=root mode=0644 | |
| # two restarts because only doing one doesn't always work | |
| - name: restart snmpd | |
| service: name=snmpd state=restarted | |
| - name: restart snmpd | |
| service: name=snmpd state=restarted | |
| # SET UP rsyslog to Graylog # | |
| - name: Set rsyslog to log to graylog | |
| lineinfile: "dest=/etc/rsyslog.conf | |
| regexp='atlas-graylog:55516' | |
| line='*.*;mail.warn @atlas-graylog:55516' | |
| state=present" | |
| - name: Restart rsyslog | |
| service: name=rsyslog state=restarted | |
| # SET UP iptables # | |
| - name: Install iptables-persistent | |
| apt: name=iptables-persistent | |
| # make sure local permissions will allow us to copy file | |
| - name: Set local permissions on iptables IPv4 config | |
| local_action: file path=/etc/iptables/rules.v4 mode=0755 | |
| - name: Set local permissions on iptables IPv6 config | |
| local_action: file path=/etc/iptables/rules.v6 mode=0755 | |
| - name: Copy over IPv4 iptables rules | |
| template: src=/etc/iptables/rules.v4 dest=/etc/iptables/rules.v4 owner=root group=root mode=0744 | |
| - name: Copy over IPv6 iptables rules | |
| template: src=/etc/iptables/rules.v6 dest=/etc/iptables/rules.v6 owner=root group=root mode=0744 | |
| - name: Load iptables rules | |
| command: /usr/sbin/service netfilter-persistent reload | |
| # SET UP RADIUS auth # | |
| - name: Install libpam-radius-auth | |
| apt: | |
| deb: http://apt.internal.gofreewire.com/libpam-radius-auth_1.3.17-0ubuntu4_amd64.deb | |
| - name: Set local permissions on pam_radius_auth.conf | |
| local_action: file path=/etc/pam_radius_auth.conf mode=0755 | |
| - name: Copy over PAM RADIUS config | |
| template: src=/etc/pam_radius_auth.conf dest=/etc/pam_radius_auth.conf owner=root group=root mode=0600 | |
| - name: Copy over PAM sshd config | |
| template: src=/etc/pam.d/sshd dest=/etc/pam.d/sshd owner=root group=root mode=0644 | |
| - name: Copy over PAM sudo config | |
| template: src=/etc/pam.d/sudo dest=/etc/pam.d/sudo owner=root group=root mode=0644 | |
| # Restart SSH # | |
| - name: Restart ssh | |
| service: name=ssh state=restarted | |
| - name: Restart sshd | |
| service: name=sshd state=restarted | |
| - include: change_root_pw.yml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment