colinrymer/setup_tasks.yml

## setup_tasks.yml
- name: Disallow password authentication
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^PasswordAuthentication"
    line: "PasswordAuthentication no"
    state: present
  notify: Restart ssh

- name: Disallow root SSH access
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^PermitRootLogin"
    line: "PermitRootLogin no"
    state: present
  notify: Restart ssh

- name: docker apt repo keyserver
  apt_key:
    id: 58118E89F3A912897C070ADBF76221572C52609D
    keyserver: "hkp://ha.pool.sks-keyservers.net:80"

- name: additional apt repos
  apt_repository:
    repo: "{{ item }}"
  with_items:
    - "ppa:openjdk-r/ppa"
    - "deb https://apt.dockerproject.org/repo ubuntu-xenial main"

- name: install required packages
  apt:
    pkg: "{{ item }}"
    update_cache: yes
  with_items:
    - apt-transport-https
    - ca-certificates
    - curl
    - docker-engine
    - fail2ban
    - gcc
    - g++
    - git
    - letsencrypt
    - linux-image-extra-virtual
    - logwatch
    - make
    - mysql-client
    - mysql-server
    - nginx
    - ntp
    - openssl
    - php
    - php-fpm
    - php-cli
    - php-curl
    - php-mysql
    - php-mcrypt
    - python-mysqldb
    - tar
    - ufw
    - unattended-upgrades

- name: setup unattended-upgrades
  copy:
    src: 10periodic
    dest: /etc/apt/apt.conf.d/10periodic

- name: setup ufw
  ufw:
    state: enabled
    policy: deny

- name: Allow ssh traffic
  ufw:
    rule: limit
    port: 22
    proto: tcp

- name: Allow all nginx traffic
  ufw:
    rule: allow
    name: 'Nginx Full'

- name: setup Postfix to relay mail
  debconf: name=postfix
           question='{{ item.question }}'
           value='{{ item.value }}'
           vtype='{{ item.vtype }}'
  with_items:
    - { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' }
    - { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }

- name: Email log summary daily
  lineinfile: dest=/etc/cron.daily/00logwatch
              regexp="^/usr/sbin/logwatch"
              line="/usr/sbin/logwatch --output mail --mailto {{ logwatch_emails }} --detail high"
              state=present create=yes

- name: enable mcrypt for php
  shell: phpenmod mcrypt
  notify: Restart php

- name: Start the MySQL service
  service:
    name: mysql
    state: started
    enabled: true

- name: update mysql root password for all root accounts
  mysql_user:
    name: root
    host: "{{ item }}"
    password: "{{ mysql_root_password }}"
    login_user: root
    login_password: "{{ mysql_root_password }}"
    check_implicit_admin: yes
    priv: "*.*:ALL,GRANT"
  with_items:
    - "{{ ansible_hostname }}"
    - 127.0.0.1
    - ::1
    - localhost

- name: start docker
  service:
    name: docker
    state: started
    enabled: true

- name: srv directory
  file:
    owner: root
    group: root
    path: /srv
    state: directory

- name: pufferpanel group
  group:
    name: pufferpanel
    state: present

- name: pufferpanel user
  user:
    name: pufferpanel
    createhome: no
    groups: pufferpanel
    append: yes

- name: pufferpanel
  unarchive:
    src: https://github.com/PufferPanel/PufferPanel/releases/download/v0.8.6/pufferpanel.tar.gz
    remote_src: yes
    dest: /srv
    owner: pufferpanel
    group: pufferpanel

- name: create diffie-hellman group
  shell: "openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048"
  args:
    creates: "/etc/ssl/certs/dhparam.pem"

- name: install cert
  shell: "systemctl stop nginx && letsencrypt certonly --standalone --non-interactive --agree-tos -w /var/www/{{ server_name }} -d {{ server_name }} --email {{ ssl_email }} && systemctl start nginx"
  args:
    creates: "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem"

- name: lets-encrypt renew cron
  cron:
    name: le-renew
    job: "/usr/bin/letsencrypt renew >> /var/log/le-renew.log"
    minute: "30"
    hour: "2,14"

- name: nginx reload
  cron:
    name: nginx-reload
    job: "/bin/systemctl reload nginx"
    minute: "35"
    hour: "2,14"

- name: nginx config
  template:
    dest: /etc/nginx/sites-available/default
    force: yes
    src: nginx.conf
    owner: root
    group: root
    mode: 0644
  notify: Restart nginx
	- name: Disallow password authentication
	lineinfile:
	dest: /etc/ssh/sshd_config
	regexp: "^PasswordAuthentication"
	line: "PasswordAuthentication no"
	state: present
	notify: Restart ssh

	- name: Disallow root SSH access
	lineinfile:
	dest: /etc/ssh/sshd_config
	regexp: "^PermitRootLogin"
	line: "PermitRootLogin no"
	state: present
	notify: Restart ssh

	- name: docker apt repo keyserver
	apt_key:
	id: 58118E89F3A912897C070ADBF76221572C52609D
	keyserver: "hkp://ha.pool.sks-keyservers.net:80"

	- name: additional apt repos
	apt_repository:
	repo: "{{ item }}"
	with_items:
	- "ppa:openjdk-r/ppa"
	- "deb https://apt.dockerproject.org/repo ubuntu-xenial main"

	- name: install required packages
	apt:
	pkg: "{{ item }}"
	update_cache: yes
	with_items:
	- apt-transport-https
	- ca-certificates
	- curl
	- docker-engine
	- fail2ban
	- gcc
	- g++
	- git
	- letsencrypt
	- linux-image-extra-virtual
	- logwatch
	- make
	- mysql-client
	- mysql-server
	- nginx
	- ntp
	- openssl
	- php
	- php-fpm
	- php-cli
	- php-curl
	- php-mysql
	- php-mcrypt
	- python-mysqldb
	- tar
	- ufw
	- unattended-upgrades

	- name: setup unattended-upgrades
	copy:
	src: 10periodic
	dest: /etc/apt/apt.conf.d/10periodic

	- name: setup ufw
	ufw:
	state: enabled
	policy: deny

	- name: Allow ssh traffic
	ufw:
	rule: limit
	port: 22
	proto: tcp

	- name: Allow all nginx traffic
	ufw:
	rule: allow
	name: 'Nginx Full'

	- name: setup Postfix to relay mail
	debconf: name=postfix
	question='{{ item.question }}'
	value='{{ item.value }}'
	vtype='{{ item.vtype }}'
	with_items:
	- { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' }
	- { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }

	- name: Email log summary daily
	lineinfile: dest=/etc/cron.daily/00logwatch
	regexp="^/usr/sbin/logwatch"
	line="/usr/sbin/logwatch --output mail --mailto {{ logwatch_emails }} --detail high"
	state=present create=yes

	- name: enable mcrypt for php
	shell: phpenmod mcrypt
	notify: Restart php

	- name: Start the MySQL service
	service:
	name: mysql
	state: started
	enabled: true

	- name: update mysql root password for all root accounts
	mysql_user:
	name: root
	host: "{{ item }}"
	password: "{{ mysql_root_password }}"
	login_user: root
	login_password: "{{ mysql_root_password }}"
	check_implicit_admin: yes
	priv: ".:ALL,GRANT"
	with_items:
	- "{{ ansible_hostname }}"
	- 127.0.0.1
	- ::1
	- localhost

	- name: start docker
	service:
	name: docker
	state: started
	enabled: true

	- name: srv directory
	file:
	owner: root
	group: root
	path: /srv
	state: directory

	- name: pufferpanel group
	group:
	name: pufferpanel
	state: present

	- name: pufferpanel user
	user:
	name: pufferpanel
	createhome: no
	groups: pufferpanel
	append: yes

	- name: pufferpanel
	unarchive:
	src: https://github.com/PufferPanel/PufferPanel/releases/download/v0.8.6/pufferpanel.tar.gz
	remote_src: yes
	dest: /srv
	owner: pufferpanel
	group: pufferpanel

	- name: create diffie-hellman group
	shell: "openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048"
	args:
	creates: "/etc/ssl/certs/dhparam.pem"

	- name: install cert
	shell: "systemctl stop nginx && letsencrypt certonly --standalone --non-interactive --agree-tos -w /var/www/{{ server_name }} -d {{ server_name }} --email {{ ssl_email }} && systemctl start nginx"
	args:
	creates: "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem"

	- name: lets-encrypt renew cron
	cron:
	name: le-renew
	job: "/usr/bin/letsencrypt renew >> /var/log/le-renew.log"
	minute: "30"
	hour: "2,14"

	- name: nginx reload
	cron:
	name: nginx-reload
	job: "/bin/systemctl reload nginx"
	minute: "35"
	hour: "2,14"

	- name: nginx config
	template:
	dest: /etc/nginx/sites-available/default
	force: yes
	src: nginx.conf
	owner: root
	group: root
	mode: 0644
	notify: Restart nginx