ansible/roles/common/tasks/main.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

- name: Update hostname to match Ansible inventory
  hostname:
    name: "{{ ansible_host }}"
  tags:
    - role::common

- name: Update /etc/hosts to match Ansible inventory
  template:
    src: etc-hosts.j2
    dest: /etc/hosts
    mode: "0644"
    owner: root
    group: root
  tags:
    - role::common

- name: Configure SSH daemon options
  ansible.builtin.copy:
    content: |
      # Ansible managed

      # Logins
      PasswordAuthentication no
      PermitRootLogin no

      # Forwarding
      AllowAgentForwarding no
      X11Forwarding no

      # Connection keepalive
      ClientAliveInterval 300
      ClientAliveCountMax 3
    dest: /etc/ssh/sshd_config.d/hardening.conf
    owner: root
    group: root
    mode: "0444"
  notify:
    - Reload ssh (Debian)
    - Reload sshd (Rocky)
  tags:
    - role::common

- name: Configure default security limits
  ansible.builtin.copy:
    content: |
      # Ansible managed

      # <domain>  <type>  <item>  <value>
      *           soft    nproc   100
      *           hard    nproc   200
    dest: /etc/security/limits.d/pydis.conf
    owner: root
    group: root
    mode: "0444"
  when: ansible_distribution == "Debian"
  tags:
    - role::common

- name: Set timezone to UTC
  file:
    src: /usr/share/zoneinfo/Etc/UTC
    dest: /etc/localtime
    mode: "0644"
    owner: root
    group: root
  notify:
    - Restart systemd-timesyncd
  tags:
    - role::common

- name: Create sudoers lecture
  template:
    src: sudo_lecture.j2
    dest: /etc/sudo_lecture
    mode: "0644"
    owner: root
    group: root
  tags:
    - role::common

- name: Configure sudo
  template:
    src: sudoers.j2
    dest: /etc/sudoers.d/pydis
    owner: root
    group: root
    mode: "0440"
    validate: /usr/sbin/visudo -cf %s
  tags:
    - role::common

- name: Configure MOTD
  template:
    src: motd.j2
    dest: /etc/motd
    mode: "0644"
    owner: root
    group: root
  tags:
    - role::common

- name: Enable default .bashrc for root
  copy:
    src: /etc/skel/.bashrc
    dest: /root/.bashrc
    remote_src: true
    mode: "0644"
    owner: root
    group: root
  tags:
    - role::common

- name: Install EPEL Release repository & system administration tools
  package:
    name:
      - epel-release
      - htop
    state: present
  tags:
    - role::common
  when: ansible_distribution == "Rocky"

- name: Install IPA client on Debian systems
  package:
    name:
      - freeipa-client
    state: present
  tags:
    - role::common
  when: ansible_distribution == "Debian"

- name: Install system administration tools
  package:
    name:
      - tmux
      - vim
      - fortune-mod
      - cowsay
    state: present
  tags:
    - role::common

- name: Install larger system administration tools (Debian)
  apt:
    name: emacs-nox
    install_recommends: false
    state: present
  when: ansible_distribution == "Debian"
  tags:
    - role::common

- name: Install larger system administration tools (Rocky)
  package:
    name: emacs-nox
    state: present
  when: ansible_distribution == "Rocky"
  tags:
    - role::common