From 6eacffce046a249d0bd89eb089e72830c3ec76c2 Mon Sep 17 00:00:00 2001 From: Shaun Reed Date: Thu, 29 Aug 2019 09:35:19 +0000 Subject: [PATCH] Add general core server configuration --- ansible/core.yml | 5 ++ ansible/roles/core/README.md | 38 ++++++++++++ ansible/roles/core/defaults/main.yml | 9 +++ ansible/roles/core/files/.gitconfig | 3 + ansible/roles/core/files/motd | 7 +++ ansible/roles/core/files/setup-vim.sh | 61 +++++++++++++++++++ ansible/roles/core/files/sshd | 71 ++++++++++++++++++++++ ansible/roles/core/files/sshd_config | 15 +++++ ansible/roles/core/handlers/main.yml | 4 ++ ansible/roles/core/meta/main.yml | 53 ++++++++++++++++ ansible/roles/core/tasks/configure-git.yml | 4 ++ ansible/roles/core/tasks/configure-ssh.yml | 25 ++++++++ ansible/roles/core/tasks/configure-vim.yml | 10 +++ ansible/roles/core/tasks/install-apps.yml | 4 ++ ansible/roles/core/tasks/main.yml | 17 ++++++ ansible/roles/core/tasks/service-ssh.yml | 3 + 16 files changed, 329 insertions(+) create mode 100644 ansible/core.yml create mode 100644 ansible/roles/core/README.md create mode 100644 ansible/roles/core/defaults/main.yml create mode 100644 ansible/roles/core/files/.gitconfig create mode 100644 ansible/roles/core/files/motd create mode 100755 ansible/roles/core/files/setup-vim.sh create mode 100644 ansible/roles/core/files/sshd create mode 100644 ansible/roles/core/files/sshd_config create mode 100644 ansible/roles/core/handlers/main.yml create mode 100644 ansible/roles/core/meta/main.yml create mode 100644 ansible/roles/core/tasks/configure-git.yml create mode 100644 ansible/roles/core/tasks/configure-ssh.yml create mode 100644 ansible/roles/core/tasks/configure-vim.yml create mode 100644 ansible/roles/core/tasks/install-apps.yml create mode 100644 ansible/roles/core/tasks/main.yml create mode 100644 ansible/roles/core/tasks/service-ssh.yml diff --git a/ansible/core.yml b/ansible/core.yml new file mode 100644 index 0000000..653044f --- /dev/null +++ b/ansible/core.yml @@ -0,0 +1,5 @@ +--- +- hosts: core + become: yes + roles: + - core diff --git a/ansible/roles/core/README.md b/ansible/roles/core/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/ansible/roles/core/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible/roles/core/defaults/main.yml b/ansible/roles/core/defaults/main.yml new file mode 100644 index 0000000..8fca634 --- /dev/null +++ b/ansible/roles/core/defaults/main.yml @@ -0,0 +1,9 @@ +--- +packages: [git, vim, ssh] +ssh_port: 22 +auth_methods: "publickey,keyboard-interactive" +git_email: "user@domain.com" +git_name: "First Last" +hostname: "localhost" +domain_name: "www.localhost.com" + diff --git a/ansible/roles/core/files/.gitconfig b/ansible/roles/core/files/.gitconfig new file mode 100644 index 0000000..7a1f883 --- /dev/null +++ b/ansible/roles/core/files/.gitconfig @@ -0,0 +1,3 @@ +[user] + email = "{{ git_email }}" + name = "{{ git_name }}" diff --git a/ansible/roles/core/files/motd b/ansible/roles/core/files/motd new file mode 100644 index 0000000..56347d8 --- /dev/null +++ b/ansible/roles/core/files/motd @@ -0,0 +1,7 @@ +// ██╗ ██╗█████╗██████╗██████╗█████████████╗ +// ██║ ██╔██╔══████╔══████╔══████╔════██╔══██╗ +// █████╔╝█████████████╔██████╔█████╗ ██████╔╝ +// ██╔═██╗██╔══████╔═══╝██╔═══╝██╔══╝ ██╔══██╗ +// ██║ ████║ ████║ ██║ █████████║ ██║ +// ╚═╝ ╚═╚═╝ ╚═╚═╝ ╚═╝ ╚══════╚═╝ ╚═╝ +// Host: {{ hostname }} - {{ domain_name }} diff --git a/ansible/roles/core/files/setup-vim.sh b/ansible/roles/core/files/setup-vim.sh new file mode 100755 index 0000000..d3e01f3 --- /dev/null +++ b/ansible/roles/core/files/setup-vim.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# Author: Shaun Reed | Contact: shaunrd0@gmail.com | URL: www.shaunreed.com ## +## A custom bash script to configure vim with my preferred settings ## +## Run as user with sudo within directory to store / stash .vimrc configs ## +############################################################################### + + +printf "\nUpdating, upgrading required packages...\n" +sudo apt -y update && sudo apt -y upgrade +sudo apt install vim git + +# Clone klips repository in a temp directory +git clone https://github.com/shaunrd0/klips temp/ +# Relocate the files we need and remove the temp directory +mkdir -pv /etc/config-vim +mv -fuv temp/README.md /etc/config-vim/ && mv -fuv temp/configs/.vimrc* /etc/config-vim/ +rm -Rf temp/ +printf "\n${GREEN}Klips config files updated"\ + "\nSee $PWD/etc/config-vim/README.md for more information.${NORMAL}\n\n" + +# Create backup dir for .vimrc +mkdir -pv /etc/config-vim/backup/ +printf "\n${GREEN}Backup directory created - $PWD/etc/config-vim/backup/${NORMAL}\n" + +# Stash the current .vimrc +mv -bv /home/kansible/.vimrc /etc/config-vim/backup/ +printf "${RED}Your local .vimrc has been stashed in $PWD/etc/config-vim/backup/${NORMAL}\n\n" + +# Copy our cloned config into the user home directory +cp /etc/config-vim/.vimrc /home/kansible/ +printf "${GREEN}New /home/kansible/.vimrc configuration installed.${NORMAL}\n" + +# Reinstall Pathogen plugin manager for vim +# https://github.com/tpope/vim-pathogen +printf "\n${RED}Removing any previous installations of Pathogen...${NORMAL}\n" +sudo rm -f /home/kansible/.vim/autoload/pathogen.vim + +# Install Pathogen +printf "\n${GREEN}Installing Pathogen plugin manager for Vim....\n"\ + "\nIf they don't exist, we will create the following directories:\n"\ + "/home/kansible/.vim/autoload/ ~/.vim/bundle/${NORMAL}" +mkdir -pv /home/kansible/.vim/autoload ~/.vim/bundle && \ + sudo curl -LSso /home/kansible/.vim/autoload/pathogen.vim https://tpo.pe/pathogen.vim +printf "\n${GREEN}Pathogen has been installed! Plugins plugins can now be easily installed.\n"\ + "Clone any plugin repositories into /home/kansible/.vim/bundles${NORMAL}\n" + +# Remove any plugins managed by this config tool (Klips) +printf "\n${RED}Removing plugins installed by this tool...${NORMAL}\n" +sudo rm -R /home/kansible/.vim/bundle/* + +# Clone plugin repos into pathogen plugin directory +printf "\n${GREEN}Installing updated plugins...${NORMAL}\n" +git clone https://github.com/ervandew/supertab /home/kansible/.vim/bundle/supertab && \ + printf "\n${GREEN}Supertab plugin has been installed${NORMAL}\n\n" && \ + git clone https://github.com/xavierd/clang_complete /home/kansible/.vim/bundle/clang_complete && \ + printf "\n${GREEN}Clang Completion plugin has been installed${NORMAL}\n\n" +vimConf=( "\n${UNDERLINE}Vim has been configured with the Klips repository.${NORMAL}" \ + "\nConfiguration Changes: " ) +printf '%b\n' "${vimConf[@]}" +sudo cat /etc/klips/configs/.vimrc-README + diff --git a/ansible/roles/core/files/sshd b/ansible/roles/core/files/sshd new file mode 100644 index 0000000..67de99d --- /dev/null +++ b/ansible/roles/core/files/sshd @@ -0,0 +1,71 @@ +# PAM configuration for the Secure Shell service + + +# Allow specified users to bypass any further PAM settings +auth sufficient pam_listfile.so item=user sense=allow file=/etc/authusers + +# Prompt for YubiKey first, to gate off all other auth methods +auth required pam_yubico.so id=12345 id key=gbsdS8adW\OsBfdsZhga12Z2AT34Q+saM= key authfile=/etc/ssh/authorized_yubikeys + +# Prompt for the local password associated with user attempting login +# nullok allows for empty passwords, though it is not recommended. +auth required pam_unix.so nullok + +# If /etc/nologin exists, do not allow users to login +# Outputs content of /etc/nologin and denies auth attempt +auth required pam_nologin.so + + +# Standard Un*x authentication. +#@include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +@include common-account + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without this it is possible that a +# module could execute code in the wrong domain. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# Set the loginuid process attribute. +session required pam_loginuid.so + +# Create a new session keyring. +session optional pam_keyinit.so force revoke + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +# This includes a dynamically generated part from /run/motd.dynamic +# and a static (admin-editable) part from /etc/motd. +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate + +# Print the status of the user's mailbox upon successful login. +session optional pam_mail.so standard noenv # [1] + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +session required pam_env.so # [1] +# In Debian 4.0 (etch), locale-related environment variables were moved to +# /etc/default/locale, so read that as well. +session required pam_env.so user_readenv=1 envfile=/etc/default/locale + +# SELinux needs to intervene at login time to ensure that the process starts +# in the proper default security context. Only sessions which are intended +# to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open + +# Standard Un*x password updating. +@include common-password diff --git a/ansible/roles/core/files/sshd_config b/ansible/roles/core/files/sshd_config new file mode 100644 index 0000000..b013ae8 --- /dev/null +++ b/ansible/roles/core/files/sshd_config @@ -0,0 +1,15 @@ +Port {{ ssh_port }} +AuthenticationMethods {{ auth_methods }} +PermitRootLogin no +PasswordAuthentication no +ChallengeResponseAuthentication yes +UsePAM yes +X11Forwarding yes +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server + + +Match User kansible LocalPort {{ ssh_port }} + PasswordAuthentication no + AuthenticationMethods publickey diff --git a/ansible/roles/core/handlers/main.yml b/ansible/roles/core/handlers/main.yml new file mode 100644 index 0000000..7ac6a51 --- /dev/null +++ b/ansible/roles/core/handlers/main.yml @@ -0,0 +1,4 @@ +--- +# handlers file for /etc/ansible/roles/core +- name: restart ssh + service: name=ssh state=restarted diff --git a/ansible/roles/core/meta/main.yml b/ansible/roles/core/meta/main.yml new file mode 100644 index 0000000..08d11e3 --- /dev/null +++ b/ansible/roles/core/meta/main.yml @@ -0,0 +1,53 @@ +galaxy_info: + author: Shaun Reed + description: Template for core configuration of my servers + company: (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + diff --git a/ansible/roles/core/tasks/configure-git.yml b/ansible/roles/core/tasks/configure-git.yml new file mode 100644 index 0000000..7cfa64b --- /dev/null +++ b/ansible/roles/core/tasks/configure-git.yml @@ -0,0 +1,4 @@ +--- +- name: Configure Git + template: src=files/.gitconfig dest=~/.gitconfig + diff --git a/ansible/roles/core/tasks/configure-ssh.yml b/ansible/roles/core/tasks/configure-ssh.yml new file mode 100644 index 0000000..77fd836 --- /dev/null +++ b/ansible/roles/core/tasks/configure-ssh.yml @@ -0,0 +1,25 @@ +--- +- name: Copy server MOTD + template: src=files/motd dest=/etc/motd + +- name: Configure PAM + template: src=files/sshd dest=/etc/pam.d/sshd + +- name: Add authusers file + copy: + dest: "/etc/authusers" + content: | + user1 + user2 + +- name: Add authorized_yubikeys file + copy: + dest: "/etc/ssh/authorized_yubikeys" + content: | + user:cccckey1cccc:cccckey2cccc + +- name: Copy ssh configuration file + template: src=files/sshd_config dest=/etc/ssh/sshd_config + notify: + - restart ssh + diff --git a/ansible/roles/core/tasks/configure-vim.yml b/ansible/roles/core/tasks/configure-vim.yml new file mode 100644 index 0000000..3429a9a --- /dev/null +++ b/ansible/roles/core/tasks/configure-vim.yml @@ -0,0 +1,10 @@ +--- +- name: Clone github.com/shaunrd0/klips + git: + repo: https://github.com/shaunrd0/klips.git + clone: yes + dest: /etc/klips/ + +- name: Vim setup script + script: /etc/ansible/roles/core/files/setup-vim.sh + diff --git a/ansible/roles/core/tasks/install-apps.yml b/ansible/roles/core/tasks/install-apps.yml new file mode 100644 index 0000000..4233fc2 --- /dev/null +++ b/ansible/roles/core/tasks/install-apps.yml @@ -0,0 +1,4 @@ +--- +- name: Install packages + apt: name="{{ item }}" state=latest + with_items: "{{ packages }}" diff --git a/ansible/roles/core/tasks/main.yml b/ansible/roles/core/tasks/main.yml new file mode 100644 index 0000000..b8f8595 --- /dev/null +++ b/ansible/roles/core/tasks/main.yml @@ -0,0 +1,17 @@ +--- +# tasks file for /etc/ansible/roles/core +# + +# Install preferred apps +- import_tasks: install-apps.yml + +# SSH +- import_tasks: configure-ssh.yml +- import_tasks: service-ssh.yml + +# Git +- import_tasks: configure-git.yml + +# Vim +- import_tasks: configure-vim.yml + diff --git a/ansible/roles/core/tasks/service-ssh.yml b/ansible/roles/core/tasks/service-ssh.yml new file mode 100644 index 0000000..4a7e00a --- /dev/null +++ b/ansible/roles/core/tasks/service-ssh.yml @@ -0,0 +1,3 @@ +--- +- name: Start and enable ssh service + service: name=ssh state=restarted enabled=yes