blob: 477bd345ca0643e913fbb35cbe9aada946109b79 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
---
- include: sysctl.yml tags=sysctl
- include: hosts.yml
- include: apt.yml tags=apt
- name: Install intel-microcode
apt: pkg=intel-microcode
when: "ansible_processor[0] | search('^Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')"
tags: intel
- include: firewall.yml tags=firewall,iptables
- include: samhain.yml tags=samhain
- include: auditd.yml tags=auditd
- include: rkhunter.yml tags=rkhunter
- include: clamav.yml tags=clamav
- include: fail2ban.yml tags=fail2ban
- include: smart.yml tags=smartmontools,smart
when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')"
- include: haveged.yml tags=haveged,entropy
- name: Copy genkeypair.sh and gendhparam.sh
copy: src=usr/local/bin/{{ item }}
dest=/usr/local/bin/{{ item }}
owner=root group=root
mode=0755
tags: genkey
with_items:
- genkeypair.sh
- gendhparam.sh
- name: Generate DH parameters
command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
tags: genkey
- include: logging.yml tags=logging
- include: ntp.yml tags=ntp
- include: mail.yml tags=mail,postfix
- include: bacula.yml tags=bacula-fd,bacula
- name: Install common packages
apt: pkg={{ item }}
with_items:
- ca-certificates
- etckeeper
- ethtool
- git
- htop
- molly-guard
- rsync
- screen
- telnet-ssl
# XXX: this is a workaround the CAcert root CAs not being present in
# Jessie. In stretch, we would merely install the 'ca-cacert' package.
- name: Create directory /usr/local/share/ca-certificates/CAcert
file: path=/usr/local/share/ca-certificates/CAcert
state=directory
owner=root group=root
mode=0755
tags:
- certs
- name: Copy CAcert root CAs
copy: src=certs/CAcert/{{ item }}
dest=/usr/local/share/ca-certificates/CAcert/{{ item }}
owner=root group=root
mode=0644
with_items:
- root.crt
- class3.crt
tags:
- certs
notify:
- Update certificate
|