initial commit

roles/common/tasks/main.yml

@@ -0,0 +1,16 @@
+- import_tasks: repos.yml
+  tags: repos
+- import_tasks: users.yml
+  tags: users
+- import_tasks: openssh.yml
+  tags: openssh
+- import_tasks: ufw.yml
+  tags: firewall
+- import_tasks: msmtp.yml
+  tags: smtp
+- import_tasks: nginx.yml
+  tags: nginx
+- import_tasks: node_exporter.yml
+  tags: node_exporter
+#- import_tasks: backup.yml
+# tags: backup

roles/common/tasks/msmtp.yml

@@ -0,0 +1,18 @@
+---
+# Install and configure SMTP relay
+- name: Install msmtp
+  apt:
+    name:
+    - msmtp
+    - msmtp-mta
+    state: present
+
+- name: Copy msmtp configuration
+  template:
+    src: msmtp/msmtprc.j2
+    dest: /etc/msmtprc
+
+- name: Copy aliases
+  template:
+    src: msmtp/aliases.j2
+    dest: /etc/aliases

roles/common/tasks/nginx.yml

@@ -0,0 +1,101 @@
+---
+# Install and configure Nginx
+- name: Install htpasswd dependencies
+  apt:
+    name: python-passlib
+    state: present
+
+- name: Install SSL dependencies
+  apt:
+    name: ssl-cert
+    state: present
+
+- name: Install Nginx
+  apt:
+    name: nginx-full
+    state: present
+
+- name: Create Nginx configuration directories
+  file:
+    path: "{{ config_dir }}"
+    state: directory
+    owner: root
+    group: www-data
+    mode: "755"
+  loop:
+  - "{{ nginx_config_dir }}"
+  - "{{ nginx_ssl_dir }}"
+  loop_control:
+    loop_var: config_dir
+
+- name: Generate Diffie-Hellman parameters
+  # This can take a long time... So we are doing it in async mode
+  openssl_dhparam:
+    path: "{{ nginx_ssl_dir }}/dhparam.pem"
+    size: 3072
+    owner: root
+    group: www-data
+  async: 3600
+  poll: 0
+  register: nginx_dh
+
+- name: Use snakoil cert key as Nginx's default private key
+  file:
+    src: "/etc/ssl/private/ssl-cert-snakeoil.key"
+    path: "{{ nginx_ssl_dir }}/nginx.key"
+    state: link
+    owner: root
+    group: www-data
+    mode: "750"
+    force: yes
+
+- name: Use snakoil cert as Nginx's default certificate
+  file:
+    src: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+    path: "{{ nginx_ssl_dir }}/nginx.crt"
+    state: link
+    owner: root
+    group: www-data
+    mode: "755"
+    force: yes
+
+- name: Copy default Nginx config
+  template:
+    src: nginx/default.conf.j2
+    dest: /etc/nginx/sites-available/default
+    owner: root
+    group: www-data
+    mode: "755"
+  notify: reload nginx
+
+- name: Enable default Nginx config
+  file:
+    src: /etc/nginx/sites-available/default
+    dest: /etc/nginx/sites-enabled/default
+    owner: root
+    group: www-data
+    mode: "755"
+  notify: reload nginx
+
+- name: Allow default Nginx ports
+  ufw:
+    rule: allow
+    name: "Nginx Full"
+
+- name: Waiting for Diffie-Hellman task to complete…
+  async_status:
+    jid: "{{ nginx_dh.ansible_job_id }}"
+  register: nginx_dh_job
+  retries: 60
+  delay: 30 # will retry every 30s for 30min (60 retries)
+  until: nginx_dh_job.finished
+
+- name: Start Nginx server
+  service:
+    name: nginx
+    state: started
+    enabled: yes
+  register: nginx_started
+
+- name: "Trigger Nginx handlers"
+  meta: flush_handlers

roles/common/tasks/node_exporter.yml

@@ -0,0 +1,30 @@
+---
+# Install and configure node-exporter
+- name: Include role for installing node-exporter
+  include_role:
+    name: cloudalchemy.node-exporter
+    public: yes
+  vars:
+    node_exporter_web_listen_address: "0.0.0.0:{{ node_exporter_port }}"
+
+- name: Configure Nginx for node-exporter
+  import_role:
+    name: nginx
+  vars:
+    nginx_config_file: node-exporter.conf
+    nginx_server:
+      name: "{{ inventory_hostname }}"
+      port: "{{ node_exporter_public_port }}"
+      locations:
+      - path: "{{ node_exporter_path }}"
+        basic_auth:
+          file: .htpasswd.node-exporter
+          password: "{{ node_exporter_password }}"
+        proxy_pass:
+          port: "{{ node_exporter_port }}"
+          path: /metrics
+
+- name: Allow node-exporter port {{ node_exporter_public_port }}
+  ufw:
+    rule: allow
+    port: "{{ node_exporter_public_port }}"

roles/common/tasks/openssh.yml

@@ -0,0 +1,19 @@
+---
+# Configure OpenSSH server
+- name: Configure OpenSSH server
+  template:
+    src: openssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    backup: yes
+    owner: "0"
+    group: "0"
+    mode: "0644"
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: restart openssh
+
+- name: Trigger Ansible handlers
+  meta: flush_handlers
+
+- name: Change Ansible SSH port to {{ openssh_port }}
+  set_fact:
+    ansible_port: "{{ openssh_port }}"

roles/common/tasks/repos.yml

@@ -0,0 +1,12 @@
+---
+# Configure APT repositories and automatic upgrades
+- name: Safely upgrade the server
+  apt:
+    upgrade: safe
+    update_cache: yes
+    cache_valid_time: "3600"
+  
+- name: Install unattend-upgrades for automatic upgrades
+  apt:
+    name: unattended-upgrades
+    state: present

roles/common/tasks/ufw.yml

@@ -0,0 +1,15 @@
+---
+# Install and configure UFW, the uncomplicated firewall
+- name: Install UFW, the uncomplicated firewall
+  apt:
+    name: ufw
+    state: present
+
+- name: Allow OpenSSH port {{ openssh_port }}
+  ufw: 
+    rule: allow
+    port: "{{ openssh_port }}"
+
+- name: Enable UFW config
+  ufw:
+    state: enabled

roles/common/tasks/user.yml

@@ -0,0 +1,22 @@
+---
+# Create an user and add their SSH public keys
+- name: Create user {{ user.name }} with no password
+  user:
+    name: "{{ user.name }}"
+    shell: /bin/bash
+    # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
+    password: '*'
+    groups: 
+    - sudo
+    append: yes
+    state: present
+    update_password: on_create
+
+- name: Add SSH public keys for user {{ user.name }}
+  authorized_key:
+    user: "{{ user.name }}"
+    state: present
+    # we can pass multiple SSH keys, but they must be separated by newlines
+    key: "{{ user.ssh_keys | join('\n') }}"
+    # remove obsolete keys
+    exclusive: yes

roles/common/tasks/users.yml

@@ -0,0 +1,28 @@
+---
+# Create users and add their SSH public keys
+- name: Install sudo package
+  package:
+    name: sudo
+    state: present
+  tags: sudo
+
+- name: Remove password to become root with sudo
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: 'visudo -cf %s'
+  tags: sudo
+
+- name: Remove password for root user
+  user:
+    name: root
+    shell: /bin/bash
+    state: present
+
+- name: Create users and add their SSH public keys
+  include_tasks: user.yml
+  loop: "{{ users }}"
+  loop_control:
+    loop_var: user