diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index fdadcd2..28f9649 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -26,7 +26,6 @@ base_packages: - bash-completion - screen - aptitude - - vim - tree - btop - ncdu diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 5b2dc17..92d106e 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -5,6 +5,9 @@ fail2ban: bantime: 600 maxretry: 4 ignore: "127.0.0.0/8 {{ dc_net }}" +fail2ban_base_packages: + - fail2ban + - rsyslog vn_host: url: http://apt.verdnatura.es/pool/main/v/vn-host package: vn-host_2.0.2_all.deb diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index 709bafe..838e89e 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -1,10 +1,7 @@ -- name: Install fail2ban packages +- name: Install fail2ban and rsyslog packages apt: - name: fail2ban + name: "{{ fail2ban_base_packages }}" state: present - loop: - - fail2ban - - rsyslog - name: Configure fail2ban service template: src: jail.local diff --git a/roles/debian-base/tasks/install.yml b/roles/debian-base/tasks/install.yml index a43a71e..396832c 100644 --- a/roles/debian-base/tasks/install.yml +++ b/roles/debian-base/tasks/install.yml @@ -1,5 +1,4 @@ - name: Install base packages apt: - name: "{{ item }}" + name: "{{ base_packages }}" state: present - loop: "{{ base_packages }}" diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index 665c208..74471b2 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -20,3 +20,5 @@ tags: vim - import_tasks: nrpe.yml tags: nrpe +- import_tasks: fail2ban.yml + tags: fail2ban diff --git a/roles/debian-base/tasks/nrpe.yml b/roles/debian-base/tasks/nrpe.yml index bf6aff3..d5e98a1 100644 --- a/roles/debian-base/tasks/nrpe.yml +++ b/roles/debian-base/tasks/nrpe.yml @@ -1,12 +1,8 @@ - name: Install NRPE packages apt: - name: "{{ item }}" + name: "{{ nagios_packages }}" state: present install_recommends: no - loop: - - nagios-nrpe-server - - nagios-plugins-contrib - - monitoring-plugins-basic - name: Set NRPE generic configuration template: src: nrpe.cfg diff --git a/roles/debian-once/handlers/main.yml b/roles/debian-once/handlers/main.yml new file mode 100644 index 0000000..18c505e --- /dev/null +++ b/roles/debian-once/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart sshd + systemd: + name: sshd + state: restarted diff --git a/roles/debian-once/tasks/ssh.yml b/roles/debian-once/tasks/ssh.yml index 84877cc..26f7a8b 100644 --- a/roles/debian-once/tasks/ssh.yml +++ b/roles/debian-once/tasks/ssh.yml @@ -1,10 +1,24 @@ +- name: Generate a new SSH key pair + openssh_keypair: + path: /etc/ssh/ssh_host_rsa_key + type: rsa + size: 4096 + register: new_pair +- name: Configure sshd_config settings + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^#ListenAddress 0.0.0.0', line: 'ListenAddress 0.0.0.0' } + - { regexp: '^#SyslogFacility AUTH', line: 'SyslogFacility AUTH' } - name: Delete old host SSH keys file: path: "{{ item }}" state: absent with_items: - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ecdsa_key.pub - /etc/ssh/ssh_host_ed25519_key - - /etc/ssh/ssh_host_rsa_key -- name: Regenerate host SSH keys - command: dpkg-reconfigure openssh-server + - /etc/ssh/ssh_host_ed25519_key.pub + when: new_pair is succeeded