add ansible base role

ansible/roles/base/files/10periodic

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";

ansible/roles/base/files/authorized_keys_user

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M

ansible/roles/base/files/issue

@@ -0,0 +1,4 @@
+Use of this system is restricted to authorized users only, and all use is subjected to an acceptable use policy.
+
+IF YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM, DISCONNECT NOW.
+

ansible/roles/base/files/motd

@@ -0,0 +1,4 @@
+THIS SYSTEM IS FOR AUTHORIZED USE ONLY
+
+All activities are logged and monitored.
+

ansible/roles/base/files/sshd_config_secured

@@ -0,0 +1,95 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+ClientAliveInterval 300
+
+#enable remote powershell
+#Subsystem powershell /usr/bin/pwsh -sshs -NoLogo
+
+

ansible/roles/base/tasks/main.yaml

@@ -0,0 +1,132 @@
+- name: Update packages
+  apt:
+    name: '*'
+    state: latest
+    update_cache: yes
+    only_upgrade: yes
+  retries: 300
+  delay: 10
+
+- name: Remove packages not needed anymore
+  apt:
+    autoremove: yes  
+  retries: 300
+  delay: 10      
+      
+- name: Install required packages Debian
+  apt: 
+    state: latest 
+    pkg: "{{ item }}"
+  with_items:  "{{ required_packages }}" 
+  retries: 300
+  delay: 10  
+
+- name: Create user account
+  user: 
+    name: "user"
+    shell: /bin/bash
+    state: present
+    createhome: yes
+
+- name: ensure ssh folder exists for user
+  file: 
+    path: /home/user/.ssh
+    owner: user 
+    group: user 
+    mode: "0700"
+    state: directory
+
+- name: Deploy SSH Key (user)
+  copy:
+    dest: /home/user/.ssh/authorized_keys
+    src: files/authorized_keys_user
+    owner: user 
+    group: user
+    force: true 
+
+- name: Remove Root SSH Configuration
+  file: 
+    path: /root/.ssh
+    state: absent
+
+- name: Copy Secured SSHD Configuration
+  copy: 
+    src: files/sshd_config_secured 
+    dest: /etc/ssh/sshd_config 
+    owner: root 
+    group: root 
+    mode: "0644"
+  when: ansible_os_family == "Debian"   
+
+- name: Copy Secured SSHD Configuration
+  copy: 
+    src: files/sshd_config_secured_redhat 
+    dest: /etc/ssh/sshd_config 
+    owner: root 
+    group: root 
+    mode: "0644"    
+  when: ansible_os_family == "RedHat"   
+
+- name: Restart SSHD
+  systemd:
+    name: sshd
+    daemon_reload: yes
+    state: restarted
+    enabled: yes
+  ignore_errors: yes
+
+
+- name: Copy unattended-upgrades file
+  copy: 
+    src: files/10periodic
+    dest: /etc/apt/apt.conf.d/10periodic 
+    owner: root 
+    group: root 
+    mode: "0644"
+    force: yes
+  when: ansible_os_family == "Debian"      
+
+- name: Remove undesirable packages
+  package:
+    name: "{{ unnecessary_software }}"
+    state: absent
+  when: ansible_os_family == "Debian"    
+
+- name: Stop and disable unnecessary services
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  with_items: "{{ unnecessary_services }}"
+  ignore_errors: yes
+
+- name: Set a message of the day
+  copy:
+    dest: /etc/motd
+    src: files/motd
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Set a login banner
+  copy:
+    dest: "{{ item }}"
+    src: files/issue
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - /etc/issue
+    - /etc/issue.net
+
+- name: set timezone
+  shell: timedatectl set-timezone America/Chicago
+
+- name: Enable cockpit
+  systemd:
+    name: cockpit
+    daemon_reload: yes
+    state: restarted
+    enabled: yes
+  when: ansible_os_family == "RedHat"    
+

ansible/roles/base/vars/main.yaml

@@ -0,0 +1,17 @@
+required_packages:
+    - ufw
+    - qemu-guest-agent
+    - fail2ban
+    - unattended-upgrades
+    - cockpit
+    - nfs-common
+    - open-iscsi
+
+unnecessary_services:
+    - postfix
+    - telnet
+    
+unnecessary_software:
+    - tcpdump
+    - nmap-ncat
+    - wpa_supplicant