-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathbootstrap.yml
62 lines (45 loc) · 2.42 KB
/
bootstrap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
- hosts: newservers
vars:
- ubuntu_release: lucid
- logwatch_email: [email protected]
- deploy_password: '$6$AC3bdCF7!$rVroC3j8Ue5M2sEsJeXOzfztBNaBzKEiOzfkOSpqDHjcDDLP65dSRlUeHSir9JiC1k6AAWS2lYHJzmuxbojz0/'
# crypted password, generated on a Linux box using: echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$6$AC3bdCF7!")' | python -
tasks:
- name: Update APT package cache
action: apt update_cache=yes
- name: Run apt-get upgrade
action: command apt-get upgrade
- name: Install fail2ban
action: apt pkg=fail2ban state=installed
- name: Add deployment user
action: user name=deploy password=$deploy_password
- name: Add authorized deploy key for Fred
action: authorized_key user=deploy key='$FILE(fred.pub)'
- name: Remove sudo group rights
action: lineinfile dest=/etc/sudoers regexp="^%sudo" state=absent
- name: Add deploy user to sudoers
action: lineinfile dest=/etc/sudoers regexp="deploy ALL" line="deploy ALL=(ALL) ALL" state=present
- name: Disallow root SSH access
action: lineinfile dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin no" state=present
notify: Restart sshd
- name: Disallow password authentication
action: lineinfile dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
notify: Restart sshd
- name: Install unattended-upgrades
action: apt pkg=unattended-upgrades state=present
- name: Adjust APT update intervals
action: copy src=config/apt_periodic dest=/etc/apt/apt.conf.d/10periodic
- name: Make sure unattended-upgrades only installs from $ubuntu_release-security
action: lineinfile dest=/etc/apt/apt.conf.d/50unattended-upgrades regexp="$ubuntu_release-updates" state=absent
- name: Copy debconf selections so that Postfix can configure itself non-interactively
copy: src=config/postfix_selections dest=/tmp/postfix_selections
- name: Set up Postfix to relay mail
action: command debconf-set-selections /tmp/postfix_selections
- name: Install logwatch
action: apt pkg=logwatch state=installed
- name: Make logwatch mail $logwatch_email daily
action: lineinfile dest=/etc/cron.daily/00logwatch regexp="^/usr/sbin/logwatch" line="/usr/sbin/logwatch --output mail --mailto $logwatch_email --detail high" state=present create=yes
handlers:
- name: Restart sshd
action: service name=sshd state=restarted