kolter
/
ansible-playbooks


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697
							- name: Install auto upgrades package
  apt: pkg=unattended-upgrades state=installed update_cache=yes
  when: with_auto_upgrade

- name: Reconfigure unattended-upgrades package
  debconf: name="unattended-upgrades" question="unattended-upgrades/enable_auto_updates" value="true" vtype="boolean"
  notify:
    - Reconfigure unattended-upgrades
  when: with_auto_upgrade

- name: Update unattended-upgrades configuration
  template: src={{ item }} dest=/etc/apt/apt.conf.d/90unattended-upgrades-local owner=root group=root mode=0644
  first_available_file:
    - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2
    - apt/auto-upgrades.j2
  when: with_auto_upgrade

- name: Install logcheck packages
  apt: pkg={{ item }} state=installed update_cache=yes
  with_items:
    - logcheck
    - logcheck-database
  when: with_logcheck

- name: Install local configuration files for logcheck
  copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644
  with_items:
    - amavisd-new
    - ansible
    - bind
    - dhclient
    - dovecot
    - dropbear
    - git-daemon
    - ipmi
    - irqbalance
    - kernel
    - libpam-modules
    - mon
    - noip2
    - ntp
    - openvpn
    - php
    - postfix
    - pure-ftpd
    - pve-cluster
    - redir
    - rpc.mountd
    - rrdcached
    - rsyslog
    - smartd
    - spamd
    - sshd
    - svn
    - sympa
  when: with_logcheck

- name: Update logcheck cron job
  template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644
  when: with_logcheck

- name: Install rkhunter related packages
  apt: pkg={{ item }} state=installed update_cache=yes
  with_items:
    - lsof
    - unhide
    - rkhunter
  when: with_rkhunter

- name: Update rkhunter default/init parameters
  template: src=rkhunter/default.j2 dest=/etc/default/rkhunter owner=root group=root mode=0644
  when: with_rkhunter

- name: Update rkhunter configuration
  template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
  when: with_rkhunter

- name: Update chkrootkit configuration
  template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
  when: with_chkrootkit

- name: Update fstab to hide pids from /proc
  lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes
  notify:
      - Remount /proc
  when: with_hideproc and hideproc_gid == ''

- name: Update fstab to hide pids from /proc with group id (gid)
  lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2,gid={{hideproc_gid}}\3' backrefs=yes
  notify:
      - Remount /proc
  when: with_hideproc and hideproc_gid != ''

- name: Create Diffie-Helman parameters
  command: openssl dhparam -2 -out /etc/ssl/private/dh{{ item }}.pem {{ item }} creates=/etc/ssl/private/dh{{ item }}.pem
  with_items:
    - 2048