Initial commit

roles/base/tasks/core.yml

@@ -0,0 +1,62 @@
+---
+# file: roles/base/tasks/core.yml
+
+- name: "*** Hostname Configuration ***"
+  include_tasks:
+    file: core_hostname.yml
+    apply:
+      tags: hostname
+  tags:
+  - hostname
+
+# Gather facts now that the hostname may have changed
+- name: Gather facts
+  setup:
+  when: hostname_change.changed
+
+- name: Gather service facts
+  service_facts:
+  tags:
+  - always
+
+- name: "*** MOTD Configuration ***"
+  include_tasks: 
+    file: core_motd.yml
+    apply:
+      tags: motd
+  tags:
+  - motd
+
+- name: "*** SSH Configuration ***"
+  include_tasks:
+    file: core_ssh.yml
+    apply:
+      tags: ssh
+  tags:
+  - ssh
+
+- name: "*** Generate Self-Signed Cert ***"
+  include_tasks:
+    file: core_cert.yml
+    apply:
+      tags: cert
+  when: base_core_cert_common_name != ''
+  tags:
+  - cert
+
+- name: "*** Root CA Install ***"
+  include_tasks: 
+    file: core_root_ca.yml
+    apply:
+      tags: root_ca
+  tags:
+  - root_ca
+
+- name: "*** Web Management Configuration ***"
+  include_tasks: 
+    file: core_web_management.yml
+    apply:
+      tags: web_management
+  when: base_core_web_management == true
+  tags:
+  - web_management

roles/base/tasks/core_cert.yml

@@ -0,0 +1,53 @@
+---
+# file: roles/base/tasks/core_cert.yml
+
+- name: Install pip
+  package:
+    name: python3-pip
+    state: latest
+  register: pip_install
+  when: ansible_python_version is version('3', '>=')
+
+- name: Upgrade pip
+  command : pip3 install -U pip 
+  when: pip_install.changed
+
+- name: Install latest python2-cryptography
+  package:
+    name: python2-cryptography
+    state: latest
+  when: ((ansible_python_version is version('2', '>=')) and (ansible_python_version is version('3', '<')) )
+
+- name: Install latest cryptography
+  pip:
+    name: cryptography
+    state: latest
+  when: ansible_python_version is version('3', '>=')
+
+- name: Ensure directory exists for local self-signed TLS certs
+  file:
+    path: /etc/ssl/{{ base_core_cert_common_name }}/live
+    state: directory
+
+- name: Generate an OpenSSL private key
+  openssl_privatekey:
+    path: /etc/ssl/{{ base_core_cert_common_name }}/live/privkey.pem
+
+- name: Generate an OpenSSL CSR
+  openssl_csr:
+    path: /etc/ssl/{{ base_core_cert_common_name }}/{{ base_core_cert_common_name }}.csr
+    privatekey_path: /etc/ssl/{{ base_core_cert_common_name }}/live/privkey.pem
+    common_name: "{{ base_core_cert_common_name }}"
+
+- name: Generate a self signed OpenSSL certificate
+  openssl_certificate:
+    path: /etc/ssl/{{ base_core_cert_common_name }}/live/fullchain.pem
+    privatekey_path: /etc/ssl/{{ base_core_cert_common_name }}/live/privkey.pem
+    csr_path: /etc/ssl/{{ base_core_cert_common_name }}/{{ base_core_cert_common_name }}.csr
+    provider: selfsigned
+
+- name: Create merged certificate
+  assemble:
+    src: /etc/ssl/{{ base_core_cert_common_name }}/live/
+    dest: /etc/ssl/{{ base_core_cert_common_name }}/live/merged.pem
+    regexp: '(fullchain.pem$|privkey.pem$)'

roles/base/tasks/core_hostname.yml

@@ -0,0 +1,58 @@
+---
+# file: roles/base/tasks/core_hostname.yml
+
+- name: Ensure system hostname
+  hostname:
+    name: "{{ base_core_hostname }}"
+  when: base_core_hostname != "" and base_core_hostname != ansible_facts['nodename']
+  register: hostname_change
+  notify: Reboot Host
+
+- block:
+  - name: Ensure hostname is set in /etc/hosts
+    lineinfile:
+      dest: /etc/hosts
+      regexp: '^127\.0\.0\.1[ \t]+localhost'
+      line: '127.0.0.1 localhost {{ base_core_hostname }}'
+      state: present
+
+  - name: Ensure hostname is set in /etc/hosts
+    lineinfile:
+      dest: /etc/hosts
+      regexp: '^127\.0\.1\.1[ \t]'
+      line: '127.0.1.1 {{ base_core_hostname }}'
+      state: present
+
+  - name: Remove ssh certs
+    file:
+      state: absent
+      path: "{{item}}"
+    loop:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_dsa_key
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+
+  - name: Generate /etc/ssh/ RSA host key
+    command : ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C "" -N ""
+    args:
+      creates: /etc/ssh/ssh_host_rsa_key
+  
+  - name: Generate /etc/ssh/ DSA host key
+    command : ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C "" -N ""
+    args:
+      creates: /etc/ssh/ssh_host_dsa_key
+  
+  - name: Generate /etc/ssh/ ECDSA host key
+    command : ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C "" -N ""
+    args:
+      creates: /etc/ssh/ssh_host_ecdsa_key
+
+  - name: Generate /etc/ssh/ ED25519 host key
+    command : ssh-keygen -q -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "" -N ""
+    args:
+      creates: /etc/ssh/ssh_host_ed25519_key
+  when: hostname_change.changed
+
+- name: Flush handlers
+  meta: flush_handlers

roles/base/tasks/core_motd.yml

@@ -0,0 +1,42 @@
+---
+# file: roles/base/tasks/core_motd.yml
+
+- name: Disable unnecessary MOTD files
+  file:
+    path: "{{ item }}"
+    mode: 644
+  with_items:
+    - "/etc/update-motd.d/00-header"
+    - "/etc/update-motd.d/10-help-text"
+    - "/etc/update-motd.d/50-motd-news"
+    - "/etc/update-motd.d/50-landscape-sysinfo"
+  when: ansible_os_family == "Debian"
+
+- name: Disable motd-news service in config file
+  ansible.builtin.lineinfile:
+    path: /etc/default/motd-news
+    regexp: ^ENABLED=
+    line: "ENABLED=0"
+  when: ansible_os_family == "Debian"
+  notify:
+    - Reboot Host
+
+- name: Disable motd-news timer
+  service:
+    name: motd-news.timer
+    state: stopped
+    enabled: no
+  when: ansible_os_family == "Debian"
+
+- name: Install the MOTD Script
+  template: 
+    src: motd.j2
+    dest: /etc/profile.d/login-info.sh
+
+- name: Configure SSH to not use the default MOTD
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PrintMotd '
+    line: PrintMotd no
+  notify:
+    - Restart SSH

roles/base/tasks/core_root_ca.yml

@@ -0,0 +1,73 @@
+---
+# file: roles/base/tasks/core_root_ca.yml
+
+- name: Install ca-certificates package
+  package:
+    name: ca-certificates
+    state: latest
+
+- block: 
+  - name: Create temporary file for cert download
+    tempfile:
+      state: file
+      suffix: temp
+    register: cert_download
+    changed_when: False
+
+  - name: Download root CA cert
+    get_url: 
+      url: "{{ base_core_root_ca_url }}"
+      dest: "{{ cert_download.path }}"
+      force: yes    
+    changed_when: False
+
+  - block:
+    - name: Convert der to pem
+      command: "openssl x509 -inform DER -outform PEM -in '{{ cert_download.path }}' -out '{{ cert_download.path }}.crt'"
+      changed_when: False
+
+    - name: Replace the temp file with the converted cert
+      copy:
+        src: "{{ cert_download.path }}.crt"
+        dest: "{{ cert_download.path }}"
+        remote_src: yes
+      changed_when: False
+    
+    - name: Remove the temporary converted cert
+      file:
+        path: "{{ cert_download.path }}.crt"
+        state: absent
+      changed_when: False
+    when: base_core_root_ca_convert == true
+
+  - name: Ensure CR are removed
+    replace:
+      dest: "{{ cert_download.path }}"
+      regexp: "\r"
+    changed_when: False
+
+  - name: Copy the certificate
+    copy:
+      src: "{{ cert_download.path }}"
+      dest: "/usr/local/share/ca-certificates/{{ base_core_root_ca_basename }}.crt"
+      remote_src: yes
+    notify: Update CA Debian
+    when: ansible_os_family == "Debian"
+
+  - name: Copy the certificate
+    copy:
+      src: "{{ cert_download.path }}"
+      dest: "/etc/pki/ca-trust/source/anchors/{{ base_core_root_ca_basename }}.crt"
+      remote_src: yes
+    notify: Update CA RedHat
+    when: ansible_os_family == "RedHat"
+
+  - name: Remove the temporary file
+    file:
+      path: "{{ cert_download.path }}"
+      state: absent
+    when: cert_download.path is defined
+    changed_when: False
+  when: base_core_root_ca_url != "" and base_core_root_ca_basename != ""
+  
+

roles/base/tasks/core_ssh.yml

@@ -0,0 +1,51 @@
+---
+# file: roles/base/tasks/core_ssh.yml
+
+- name: Install the issue notice
+  template: 
+    src: issue.j2
+    dest: /etc/issue
+  notify: Restart SSH
+  tags:
+  - issue
+
+- name: Configure SSH to display the issue notice
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?Banner '
+    line: Banner /etc/issue
+  notify: Restart SSH
+  tags:
+  - issue
+
+- name: Setup authorized keys
+  authorized_key:
+    user: "{{ base_core_management_user }}"
+    state: present
+    key: '{{ lookup("file", item) }}'
+  with_fileglob:
+    - "public_keys/*"
+  tags:
+  - authorized_key
+
+- name: Configure SSH root login
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PermitRootLogin '
+    line: PermitRootLogin no
+  when: base_core_ssh_permit_root_login == false
+  notify:
+    - Restart SSH
+  tags:
+  - root_login
+
+- name: Configure SSH password auth
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PasswordAuthentication '
+    line: PasswordAuthentication no
+  when: base_core_ssh_permit_password_authentication == false
+  notify:
+    - Restart SSH
+  tags:
+  - password_auth

roles/base/tasks/core_web_management.yml

@@ -0,0 +1,39 @@
+---
+# file: roles/base/tasks/core_web_management.yml
+
+- name: Install cockpit packages
+  package:
+    name: 
+      - cockpit
+      - cockpit-networkmanager
+      - cockpit-packagekit
+      - cockpit-storaged
+      - cockpit-dashboard
+    state: present
+
+- name: Install cockpit-machines package
+  package:
+    name: cockpit-machines
+    state: present
+  when: "'libvirt' in services"
+
+- name: Install redhat cockpit packages
+  package:
+    name: 
+      - cockpit-selinux
+      - cockpit-sosreport
+    state: present
+  when: ansible_os_family == "RedHat"
+
+- name: Use created self-signed cert
+  file:
+    src: /etc/ssl/{{ base_core_cert_common_name }}/live/merged.pem
+    dest: /etc/cockpit/ws-certs.d/50-ansible.crt
+    state: link
+  when: base_core_cert_common_name != ''
+
+- name: Start and enable cockpit service
+  service:
+    name: cockpit.socket
+    state: started
+    enabled: yes

roles/base/tasks/debian.yml

@@ -0,0 +1,40 @@
+---
+# file: roles/base/tasks/debian.yml
+
+- name: Install Current Updates
+  apt:
+    upgrade: full
+    update_cache: yes
+  when: base_core_install_updates == true
+
+- name: "*** Debian: Kernel Configuration ***"
+  include_tasks: 
+    file: debian_kernel.yml
+    apply:
+      tags: kernel
+  tags:
+  - kernel
+
+- name: "*** Debian: Time Sync Configuration ***"
+  include_tasks: 
+    file: debian_time_sync.yml
+    apply:
+      tags: time_sync
+  tags:
+  - time_sync
+
+- name: "*** Debian: Automatic Updates Configuration ***"
+  include_tasks: 
+    file: debian_automatic_updates.yml
+    apply:
+      tags: automatic_updates
+  tags:
+  - automatic_updates
+
+- name: "*** Debian: Firewall Configuration ***"
+  include_tasks: 
+    file: debian_firewall.yml
+    apply:
+      tags: firewall
+  tags:
+  - firewall

roles/base/tasks/debian_automatic_updates.yml

@@ -0,0 +1,56 @@
+---
+# file: roles/base/tasks/debian_automatic_updates.yml
+
+- name: Install unattended upgrade packages
+  package:
+    name: 
+      - unattended-upgrades
+      - update-notifier-common
+    state: latest
+
+- name: Activate auto upgrades
+  template:
+    src: 20auto-upgrades.j2
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+
+- name: Enable updates for all repos
+  lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '"\${distro_id}:\${distro_codename}-updates";'
+    line: '        "*:*";'
+
+- name: Enable auto-reboot
+  lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '^\/?\/?Unattended-Upgrade::Automatic-Reboot '
+    line: 'Unattended-Upgrade::Automatic-Reboot "true";'
+
+- name: Configure auto-reboot time
+  lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '^\/?\/?Unattended-Upgrade::Automatic-Reboot-Time '
+    line: 'Unattended-Upgrade::Automatic-Reboot-Time "03:30";'
+
+- name: Ensure directory exists for daily download timer
+  file: 
+    path: /etc/systemd/system/apt-daily.timer.d
+    recurse: yes
+    state: directory
+
+- name: Configure daily download timer
+  template:
+    src: apt-daily.timer.d_override.conf.j2
+    dest: /etc/systemd/system/apt-daily.timer.d/override.conf
+  notify: Daemon Reload
+
+- name: Ensure directory exists for daily upgrade timer
+  file: 
+    path: /etc/systemd/system/apt-daily-upgrade.timer.d
+    recurse: yes
+    state: directory
+
+- name: Configure daily upgrade timer
+  template:
+    src: apt-daily-upgrade.timer.d_override.conf.j2
+    dest: /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
+  notify: Daemon Reload

roles/base/tasks/debian_firewall.yml

@@ -0,0 +1,25 @@
+---
+# file: roles/base/tasks/debian_firewall.yml
+
+- name: Allow SSH access through the firewall
+  ufw:
+    rule: allow
+    port: "22"
+    proto: tcp
+    interface: eth0
+    direction: in
+  notify: Reload UFW
+
+- name: Allow web management access through the firewall
+  ufw:
+    rule: allow
+    port: "9090"
+    proto: tcp
+  notify: Reload UFW
+  when: base_core_web_management == true
+  tags:
+  - web_management
+
+- name: Enable firewall
+  ufw:
+    state: enabled

roles/base/tasks/debian_kernel.yml

@@ -0,0 +1,8 @@
+---
+# file: roles/base/tasks/debian_kernel.yml
+
+- name: Install linux-azure kernel
+  package:
+    name: linux-azure
+    state: latest
+  notify: Reboot Host

roles/base/tasks/debian_time_sync.yml

@@ -0,0 +1,31 @@
+---
+# file: roles/base/tasks/debian_time_sync.yml
+
+- name: Install chrony
+  package:
+    name: chrony
+    state: latest
+
+- name: Set refclock
+  lineinfile:
+    path: /etc/chrony/chrony.conf
+    line: 'refclock PHC /dev/ptp0 trust poll 1 filter 4'
+    insertafter: EOF
+
+- name: Set makestep
+  lineinfile:
+    path: /etc/chrony/chrony.conf
+    regexp: '^makestep '
+    line: 'makestep 1 -1'
+
+- name: Disable systemd-timesyncd
+  service:
+    name: systemd-timesyncd
+    state: stopped
+    enabled: false
+
+- name: Enable chrony
+  service:
+    name: chronyd
+    state: started
+    enabled: true

roles/base/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+# file: roles/base/tasks/main.yml
+
+- name: "### Core Tasks ###"
+  include_tasks:
+    file: core.yml
+  tags:
+  - always
+
+- name: "### Debian Family ###"
+  include_tasks:
+    file: debian.yml
+  when: ansible_os_family == "Debian"
+  tags:
+  - always
+
+- name: "### RedHat Family ###"
+  include_tasks:
+    file: redhat.yml
+  when: ansible_os_family == "RedHat"
+  tags:
+  - always

roles/base/tasks/redhat.yml

@@ -0,0 +1,40 @@
+---
+# file: roles/base/tasks/redhat.yml
+
+- name: Install Current Updates
+  yum:
+    name: '*'
+    state: latest
+  when: base_core_install_updates == true
+
+- name: "*** RedHat: EPEL Install ***"
+  include_tasks: 
+    file: redhat_epel.yml
+    apply:
+      tags: epel
+  tags:
+  - epel
+
+- name: "*** RedHat: Time Sync Configuration ***"
+  include_tasks: 
+    file: redhat_time_sync.yml
+    apply: 
+      tags: time_sync
+  tags:
+  - time_sync
+
+- name: "*** RedHat: Automatic Updates Configuration ***"
+  include_tasks: 
+    file: redhat_automatic_updates.yml
+    apply:
+      tags: automatic_updates
+  tags:
+  - automatic_updates
+
+- name: "*** RedHat: Firewall Configuration ***"
+  include_tasks: 
+    file: redhat_firewall.yml
+    apply:
+      tags: firewall
+  tags:
+  - firewall

roles/base/tasks/redhat_automatic_updates.yml

@@ -0,0 +1,50 @@
+---
+# file: roles/base/tasks/redhat_automatic_updates.yml
+    
+- name: Install dnf-automatic package
+  package:
+    name: dnf-automatic
+    state: present
+
+- name: Install yum-utils package for needs restarting
+  package:
+    name: yum-utils
+    state: present
+  when: ansible_distribution_major_version == 7
+
+- name: Deploy dnf-automatic configuration file
+  template:
+    src: automatic.conf.j2
+    dest: /etc/dnf/automatic.conf
+
+- name: Create dnf-automatic-install.timer directory
+  file:
+    path: /etc/systemd/system/dnf-automatic-install.timer.d
+    recurse: yes
+    state: directory
+
+- name: Deploy dnf-automatic install timer override
+  template:
+    src: dnf-automatic-install.timer.j2
+    dest: /etc/systemd/system/dnf-automatic-install.timer.d/time.conf
+  become: yes
+  notify: Daemon Reload
+
+- name: Start and enable systemd timer for dnf-automatic
+  service:
+    name: dnf-automatic-install.timer
+    state: started
+    enabled: yes
+
+- name: Create dnf-automatic-install.service directory
+  file:
+    path: /etc/systemd/system/dnf-automatic-install.service.d
+    recurse: yes
+    state: directory
+
+- name: Deploy dnf-automatic install service override
+  template:
+    src: "dnf-automatic-install.service-{{ ansible_distribution_major_version }}.j2"
+    dest: /etc/systemd/system/dnf-automatic-install.service.d/override.conf
+  become: yes
+  notify: Daemon Reload

roles/base/tasks/redhat_epel.yml

@@ -0,0 +1,8 @@
+---
+# file: roles/base/tasks/redhat_epel.yml
+
+- name: Install EPEL RPM
+  package:
+    name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
+    state: present
+    disable_gpg_check: True

roles/base/tasks/redhat_firewall.yml

@@ -0,0 +1,25 @@
+---
+# file: roles/base/tasks/redhat_firewall.yml
+
+- name: Allow SSH access through the firewall
+  firewalld:
+    service: ssh
+    permanent: yes
+    state: enabled
+  notify: Reload Firewalld
+
+- name: Allow web management access through the firewall
+  firewalld:
+    service: cockpit
+    permanent: yes
+    state: enabled
+  notify: Reload Firewalld
+  when: base_core_web_management == true
+  tags:
+  - web_management
+
+- name: Enable firewall
+  service:
+    name: firewalld
+    state: started
+    enabled: yes

roles/base/tasks/redhat_time_sync.yml

@@ -0,0 +1,13 @@
+---
+# file: roles/base/tasks/redhat_time_sync.yml
+
+- name: Install chrony package
+  package:
+    name: chrony
+    state: present
+
+- name: Start and enable chrony
+  service:
+    name: chronyd
+    state: started
+    enabled: yes