kolter
/
ansible-playbooks


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
							- name: Install auto upgrades package
  apt: pkg=unattended-upgrades state=installed update_cache=yes
  when: with_auto_upgrade

- name: Reconfigure unattended-upgrades package
  debconf: name="unattended-upgrades" question="unattended-upgrades/enable_auto_updates" value="true" vtype="boolean"
  notify:
    - Reconfigure unattended-upgrades
  when: with_auto_upgrade

- name: Update unattended-upgrades configuration
  template: src={{ item }} dest=/etc/apt/apt.conf.d/90unattended-upgrades-local owner=root group=root mode=0644
  first_available_file:
    - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2
    - apt/auto-upgrades.j2
  when: with_auto_upgrade

- name: Install logcheck packages
  apt: pkg={{ item }} state=installed update_cache=yes
  with_items:
    - logcheck
    - logcheck-database
  when: with_logcheck

- name: Install local configuration files for logcheck
  copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644
  with_items:
    - amavisd-new
    - ansible
    - apache2
    - bind
    - dhclient
    - dnsmasq
    - dovecot
    - dropbear
    - git-daemon
    - gogs
    - ipmi
    - irqbalance
    - kernel
    - libpam-modules
    - mon
    - noip2
    - ntp
    - openvpn
    - php
    - postfix
    - pure-ftpd
    - pve-cluster
    - redir
    - rpc-mountd
    - rrdcached
    - rsyslog
    - smartd
    - spamd
    - sshd
    - svn
    - sympa
    - systemd
    - zabbix-agentd
  when: with_logcheck

- name: Update logcheck cron job
  template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644
  when: with_logcheck

- name: Install rkhunter related packages
  apt: pkg={{ item }} state=installed update_cache=yes
  with_items:
    - lsof
    - unhide
    - rkhunter
  when: with_rkhunter

- name: Reconfigure rkhunter package
  debconf: name="{{item.name}}" question="{{item.question}}" value="{{item.value}}" vtype="{{item.vtype}}"
  with_items:
    - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' }
    - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' }
    - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' }
  notify:
    - Reconfigure rkhunter
  when: with_rkhunter

- name: Update rkhunter configuration
  template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
  when: with_rkhunter

- name: Update chkrootkit configuration
  template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
  when: with_chkrootkit

- name: Update fstab to hide pids from /proc
  lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes
  notify:
      - Remount /proc
  when: with_hideproc and hideproc_gid == ''

- name: Update fstab to hide pids from /proc with group id (gid)
  lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2,gid={{hideproc_gid}}\3' backrefs=yes
  notify:
      - Remount /proc
  when: with_hideproc and hideproc_gid != ''

- name: 'Create Diffie-Helman parameters'
  command: 'openssl dhparam -2 -out /etc/ssl/private/dh{{ item }}.pem {{ item }}'
  args:
    creates: '/etc/ssl/private/dh{{ item }}.pem'
  with_items:
    - 2048