Preflight tasks (Initial)

README.md

@@ -1,2 +1,2 @@
-# linode-preflight
+# Linode-Preflight
 A set of Ansible tasks for preflighting a Linode instance.

defaults/main.yml

@@ -0,0 +1,15 @@
+---
+# Preflight
+preflight__timezone: UTC
+
+# Firewall
+firewall__ssh_rule: limit
+
+# User
+admin_user: "admin"
+admin_group: "admin"
+
+# SSH Config
+ssh__port: 8822
+ssh__password_authentication: "no"
+ssh__address_family: "inet"

handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
+  become: yes

meta/main.yml

@@ -0,0 +1,9 @@
+galaxy-info:
+  author: James Lavender
+  description: A set of preflight tasks for any Linode Instance.
+  license: GPLv3
+  min_ansible_version: 1.2
+  galaxy-tags:
+    - linode-preflight
+
+dependencies: []

tasks/add_user.yml

@@ -0,0 +1,25 @@
+---
+- name: add_user | Add admin user
+  user:
+    name: "{{ admin_user }}"
+    group: "{{ admin_group }}"
+    state: present
+    create_home: yes
+  become: yes
+
+- name: add_user | Ensure admin user ssh directory exists
+  file:
+    path: "/home/{{ admin_user }}/.ssh/"
+    state: directory
+    owner: "{{ admin_user }}"
+    group: "{{ admin_group }}"
+    mode: 0700
+  become: yes
+
+- name: add_user | Add SSH keys to admin user
+  authorized_key:
+    user: "{{ admin_user }}"
+    state: "{{ item.state }}"
+    key: "{{ item.key }}"
+  with_items: "{{ authorized_keys }}"
+  become: yes

tasks/firewall.yml

@@ -0,0 +1,49 @@
+---
+- name: firewall | install ufw
+  apt:
+    pkg: ufw
+    state: present
+  become: yes
+
+- name: firewall | Open ssh port
+  ufw:
+    state: enabled
+    rule: "{{ firewall__ssh_rule }}"
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - 22
+    - 8822
+  become: yes
+
+- name: firewall | deny all incoming connections
+  ufw:
+    state: enabled
+    policy: deny
+    direction: incoming
+  become: yes
+
+- name: firewall | allow all outgoing connections
+  ufw:
+    state: enabled
+    policy: allow
+    direction: outgoing
+  become: yes
+
+- name: firewall | allow all connections from localhost
+  ufw:
+    state: enabled
+    from: "127.0.0.1"
+    rule: allow
+    proto: any
+  become: yes
+
+- name: firewall | Copy SSH config
+  template:
+    src: "etc/ssh/sshd_config.j2"
+    dest: "/etc/ssh/sshd_config"
+    mode: 0644
+    validate: '/usr/sbin/sshd -t -f %s'
+  become: yes
+  notify: restart sshd
+

tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- include_tasks: preflight.yml
+- include_tasks: add_user.yml
+- include_tasks: firewall.yml

tasks/oh-my-bash.yml

@@ -0,0 +1,2 @@
+---
+- name: ohmybash | Install oh-my-bash

tasks/preflight.yml

@@ -0,0 +1,27 @@
+---
+- name: preflight | install ntp
+  apt:
+    name: ntp
+    state: present
+  become: yes
+
+- name: preflight | ensure ntp is running on boot
+  service:
+    name: ntp
+    state: started
+    enabled: yes
+  become: yes
+
+- name: preflight | Set Timezone
+  timezone:
+    name: "{{ preflight__timezone }}"
+  become: yes
+
+- name: preflight | copy 10periodic unattended upgrades
+  template:
+    src: "etc/apt/apt.conf.d/10periodic.j2"
+    dest: "/etc/apt/apt.conf.d/10periodic"
+    owner: root
+    group: root
+    mode: 0644
+  become: yes

templates/etc/apt/apt.conf.d/10periodic.j2

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::Download-Upgradeable-Packages "0";
+APT::Periodic::AutocleanInterval "0";

templates/etc/ssh/sshd_config.j2

@@ -0,0 +1,123 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port {{ ssh__port }}
+AddressFamily {{ ssh__address_family }}
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ ssh__password_authentication }}
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server