From 0859efa0c714130f6ba1adaee281a25dcdb97ed9 Mon Sep 17 00:00:00 2001 From: DeveloperDurp Date: Sun, 16 Feb 2025 20:29:30 -0600 Subject: [PATCH] add ansible base role --- ansible/roles/base/files/10periodic | 4 + ansible/roles/base/files/authorized_keys_user | 1 + ansible/roles/base/files/issue | 4 + ansible/roles/base/files/motd | 4 + ansible/roles/base/files/sshd_config_secured | 95 +++++++++++++ ansible/roles/base/tasks/main.yaml | 132 ++++++++++++++++++ ansible/roles/base/vars/main.yaml | 17 +++ 7 files changed, 257 insertions(+) create mode 100644 ansible/roles/base/files/10periodic create mode 100644 ansible/roles/base/files/authorized_keys_user create mode 100644 ansible/roles/base/files/issue create mode 100644 ansible/roles/base/files/motd create mode 100644 ansible/roles/base/files/sshd_config_secured create mode 100644 ansible/roles/base/tasks/main.yaml create mode 100644 ansible/roles/base/vars/main.yaml diff --git a/ansible/roles/base/files/10periodic b/ansible/roles/base/files/10periodic new file mode 100644 index 0000000..5d37e9f --- /dev/null +++ b/ansible/roles/base/files/10periodic @@ -0,0 +1,4 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/ansible/roles/base/files/authorized_keys_user b/ansible/roles/base/files/authorized_keys_user new file mode 100644 index 0000000..4c456ea --- /dev/null +++ b/ansible/roles/base/files/authorized_keys_user @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M diff --git a/ansible/roles/base/files/issue b/ansible/roles/base/files/issue new file mode 100644 index 0000000..5acb66f --- /dev/null +++ b/ansible/roles/base/files/issue @@ -0,0 +1,4 @@ +Use of this system is restricted to authorized users only, and all use is subjected to an acceptable use policy. + +IF YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM, DISCONNECT NOW. + diff --git a/ansible/roles/base/files/motd b/ansible/roles/base/files/motd new file mode 100644 index 0000000..fa6c8db --- /dev/null +++ b/ansible/roles/base/files/motd @@ -0,0 +1,4 @@ +THIS SYSTEM IS FOR AUTHORIZED USE ONLY + +All activities are logged and monitored. + diff --git a/ansible/roles/base/files/sshd_config_secured b/ansible/roles/base/files/sshd_config_secured new file mode 100644 index 0000000..88bfedb --- /dev/null +++ b/ansible/roles/base/files/sshd_config_secured @@ -0,0 +1,95 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +ClientAliveInterval 300 + +#enable remote powershell +#Subsystem powershell /usr/bin/pwsh -sshs -NoLogo + + diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml new file mode 100644 index 0000000..6e0d0b1 --- /dev/null +++ b/ansible/roles/base/tasks/main.yaml @@ -0,0 +1,132 @@ +- name: Update packages + apt: + name: '*' + state: latest + update_cache: yes + only_upgrade: yes + retries: 300 + delay: 10 + +- name: Remove packages not needed anymore + apt: + autoremove: yes + retries: 300 + delay: 10 + +- name: Install required packages Debian + apt: + state: latest + pkg: "{{ item }}" + with_items: "{{ required_packages }}" + retries: 300 + delay: 10 + +- name: Create user account + user: + name: "user" + shell: /bin/bash + state: present + createhome: yes + +- name: ensure ssh folder exists for user + file: + path: /home/user/.ssh + owner: user + group: user + mode: "0700" + state: directory + +- name: Deploy SSH Key (user) + copy: + dest: /home/user/.ssh/authorized_keys + src: files/authorized_keys_user + owner: user + group: user + force: true + +- name: Remove Root SSH Configuration + file: + path: /root/.ssh + state: absent + +- name: Copy Secured SSHD Configuration + copy: + src: files/sshd_config_secured + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: "0644" + when: ansible_os_family == "Debian" + +- name: Copy Secured SSHD Configuration + copy: + src: files/sshd_config_secured_redhat + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: "0644" + when: ansible_os_family == "RedHat" + +- name: Restart SSHD + systemd: + name: sshd + daemon_reload: yes + state: restarted + enabled: yes + ignore_errors: yes + + +- name: Copy unattended-upgrades file + copy: + src: files/10periodic + dest: /etc/apt/apt.conf.d/10periodic + owner: root + group: root + mode: "0644" + force: yes + when: ansible_os_family == "Debian" + +- name: Remove undesirable packages + package: + name: "{{ unnecessary_software }}" + state: absent + when: ansible_os_family == "Debian" + +- name: Stop and disable unnecessary services + service: + name: "{{ item }}" + state: stopped + enabled: no + with_items: "{{ unnecessary_services }}" + ignore_errors: yes + +- name: Set a message of the day + copy: + dest: /etc/motd + src: files/motd + owner: root + group: root + mode: 0644 + +- name: Set a login banner + copy: + dest: "{{ item }}" + src: files/issue + owner: root + group: root + mode: 0644 + with_items: + - /etc/issue + - /etc/issue.net + +- name: set timezone + shell: timedatectl set-timezone America/Chicago + +- name: Enable cockpit + systemd: + name: cockpit + daemon_reload: yes + state: restarted + enabled: yes + when: ansible_os_family == "RedHat" + diff --git a/ansible/roles/base/vars/main.yaml b/ansible/roles/base/vars/main.yaml new file mode 100644 index 0000000..2670ac2 --- /dev/null +++ b/ansible/roles/base/vars/main.yaml @@ -0,0 +1,17 @@ +required_packages: + - ufw + - qemu-guest-agent + - fail2ban + - unattended-upgrades + - cockpit + - nfs-common + - open-iscsi + +unnecessary_services: + - postfix + - telnet + +unnecessary_software: + - tcpdump + - nmap-ncat + - wpa_supplicant