ianling/bootstrap.yml

## bootstrap.yml
---
- name: Roll out basic config changes to a new server
  hosts: all
  remote_user: backup
  become: yes

  tasks:
   - name:  Disable root login in sshd_config
     lineinfile: "dest=/etc/ssh/sshd_config
                 regexp='^PermitRootLogin '
                 line='PermitRootLogin no'
                 state=present
                 insertafter=EOF"

   - name:  Copy over resolv.conf
     template: src=/etc/resolv.conf dest=/etc/resolv.conf owner=root group=root mode=0744


   # Install basic packages #
   - name:  Install python
     apt: name=python update_cache=yes
   #                   ^ note that this is the only one with update_cache

   - name:  Install bash-completion
     apt: name=bash-completion

   - name:  Install git
     apt: name=git

   - name:  Install etckeeper
     apt: name=etckeeper

   # Make etckeeper commit whenever apt installs something #
   - name:  Copy over 99git-gc
     template: src=/etc/etckeeper/post-install.d/99git-gc dest=/etc/etckeeper/post-install.d/99git-gc owner=root group=root mode=0744


   # SET UP exim4 #
   - name:  Install exim4
     apt: name=exim4

   - name:  Copy over exim4 config
     template: src=/etc/exim4/update-exim4.conf.conf dest=/etc/exim4/update-exim4.conf.conf owner=root group=root mode=0744

   - name: Apply exim4 config
     command: /usr/sbin/update-exim4.conf

   - name: Set root email alias to sysadmin address
     lineinfile: "dest=/etc/aliases
                 regexp='^root:'
                 line='root: sysadmin@gofreewire.com'
                 state=present"

   - name: Update aliases.db
     command: /usr/bin/newaliases

   - name: Generate a /etc/mailname file for each host
     local_action: command /usr/local/bin/generate_mailname.sh {{ inventory_hostname }}

   - name: Copy /etc/mailname file to host
     copy: src=/tmp/mailname_{{ inventory_hostname }}
           dest=/etc/mailname
           owner=root
           mode=0644

   - name: Set exim to accept mail destined for the host's hostname and FQDN
     lineinfile: state=present
                 path=/etc/exim4/update-exim4.conf.conf
                 regexp=^dc_other_hostnames=.*$
                 line=dc_other_hostnames='{{ inventory_hostname }}.freewirebroadband.com; {{ inventory_hostname }}$

   - name: Restart exim4
     service: name=exim4 state=restarted

   - name: Delete local mailname file for host
     local_action: file path=/tmp/mailname_{{ inventory_hostname }} state=absent


   # SET UP ntp #
   - name: Install ntp
     apt: name=ntp

   - name: Copy over ntp.conf
     template: src=/etc/ntp.conf dest=/etc/ntp.conf owner=root group=root mode=0744

   - name: Restart ntp service
     service: name=ntp state=restarted

   - name: Sync clock
     command: /usr/bin/ntpq -p


   # Set up login banners #
   - name:  Enable banner in sshd_config
     lineinfile: "dest=/etc/ssh/sshd_config
                 regexp='^Banner '
                 line='Banner /etc/issue.net'
                 state=present
                 insertbefore=BOF"

   - name:  Copy over /etc/issue
     template: src=/etc/issue dest=/etc/issue owner=root group=root mode=0744

   - name:  Copy over /etc/issue.net
     template: src=/etc/issue.net dest=/etc/issue.net owner=root group=root mode=0744


    # Set up snmpd #
   - name:  Install snmpd
     apt: name=snmpd

    # make sure local permissions will allow us to copy file
   - name: Set local permissions on snmpd.conf
     local_action: file path=/etc/snmp/snmpd.conf mode=0755

   - name:  Copy over snmpd.conf
     template: src=/etc/snmp/snmpd.conf dest=/etc/snmp/snmpd.conf owner=root group=root mode=0740

   - name:  Copy over /etc/default/snmpd
     template: src=/etc/default/snmpd dest=/etc/default/snmpd owner=root group=root mode=0644

    # two restarts because only doing one doesn't always work
   - name: restart snmpd
     service: name=snmpd state=restarted
   - name: restart snmpd
     service: name=snmpd state=restarted


   # SET UP rsyslog to Graylog #
   - name: Set rsyslog to log to graylog
     lineinfile: "dest=/etc/rsyslog.conf
                 regexp='atlas-graylog:55516'
                 line='*.*;mail.warn @atlas-graylog:55516'
                 state=present"

   - name: Restart rsyslog
     service: name=rsyslog state=restarted


   # SET UP iptables #
   - name: Install iptables-persistent
     apt: name=iptables-persistent

    # make sure local permissions will allow us to copy file
   - name: Set local permissions on iptables IPv4 config
     local_action: file path=/etc/iptables/rules.v4 mode=0755
   - name: Set local permissions on iptables IPv6 config
     local_action: file path=/etc/iptables/rules.v6 mode=0755

   - name: Copy over IPv4 iptables rules
     template: src=/etc/iptables/rules.v4 dest=/etc/iptables/rules.v4 owner=root group=root mode=0744

   - name: Copy over IPv6 iptables rules
     template: src=/etc/iptables/rules.v6 dest=/etc/iptables/rules.v6 owner=root group=root mode=0744

   - name: Load iptables rules
     command: /usr/sbin/service netfilter-persistent reload

   # SET UP RADIUS auth #
   - name: Install libpam-radius-auth
     apt:
        deb: http://apt.internal.gofreewire.com/libpam-radius-auth_1.3.17-0ubuntu4_amd64.deb

   - name: Set local permissions on pam_radius_auth.conf
     local_action: file path=/etc/pam_radius_auth.conf mode=0755
   - name: Copy over PAM RADIUS config
     template: src=/etc/pam_radius_auth.conf dest=/etc/pam_radius_auth.conf owner=root group=root mode=0600
   - name: Copy over PAM sshd config
     template: src=/etc/pam.d/sshd dest=/etc/pam.d/sshd owner=root group=root mode=0644
   - name: Copy over PAM sudo config
     template: src=/etc/pam.d/sudo dest=/etc/pam.d/sudo owner=root group=root mode=0644

   # Restart SSH #
   - name: Restart ssh
     service: name=ssh state=restarted

   - name: Restart sshd
     service: name=sshd state=restarted

- include: change_root_pw.yml
	---
	- name: Roll out basic config changes to a new server
	hosts: all
	remote_user: backup
	become: yes

	tasks:
	- name: Disable root login in sshd_config
	lineinfile: "dest=/etc/ssh/sshd_config
	regexp='^PermitRootLogin '
	line='PermitRootLogin no'
	state=present
	insertafter=EOF"

	- name: Copy over resolv.conf
	template: src=/etc/resolv.conf dest=/etc/resolv.conf owner=root group=root mode=0744


	# Install basic packages #
	- name: Install python
	apt: name=python update_cache=yes
	# ^ note that this is the only one with update_cache

	- name: Install bash-completion
	apt: name=bash-completion

	- name: Install git
	apt: name=git

	- name: Install etckeeper
	apt: name=etckeeper

	# Make etckeeper commit whenever apt installs something #
	- name: Copy over 99git-gc
	template: src=/etc/etckeeper/post-install.d/99git-gc dest=/etc/etckeeper/post-install.d/99git-gc owner=root group=root mode=0744


	# SET UP exim4 #
	- name: Install exim4
	apt: name=exim4

	- name: Copy over exim4 config
	template: src=/etc/exim4/update-exim4.conf.conf dest=/etc/exim4/update-exim4.conf.conf owner=root group=root mode=0744

	- name: Apply exim4 config
	command: /usr/sbin/update-exim4.conf

	- name: Set root email alias to sysadmin address
	lineinfile: "dest=/etc/aliases
	regexp='^root:'
	line='root: sysadmin@gofreewire.com'
	state=present"

	- name: Update aliases.db
	command: /usr/bin/newaliases

	- name: Generate a /etc/mailname file for each host
	local_action: command /usr/local/bin/generate_mailname.sh {{ inventory_hostname }}

	- name: Copy /etc/mailname file to host
	copy: src=/tmp/mailname_{{ inventory_hostname }}
	dest=/etc/mailname
	owner=root
	mode=0644

	- name: Set exim to accept mail destined for the host's hostname and FQDN
	lineinfile: state=present
	path=/etc/exim4/update-exim4.conf.conf
	regexp=^dc_other_hostnames=.*$
	line=dc_other_hostnames='{{ inventory_hostname }}.freewirebroadband.com; {{ inventory_hostname }}$

	- name: Restart exim4
	service: name=exim4 state=restarted

	- name: Delete local mailname file for host
	local_action: file path=/tmp/mailname_{{ inventory_hostname }} state=absent


	# SET UP ntp #
	- name: Install ntp
	apt: name=ntp

	- name: Copy over ntp.conf
	template: src=/etc/ntp.conf dest=/etc/ntp.conf owner=root group=root mode=0744

	- name: Restart ntp service
	service: name=ntp state=restarted

	- name: Sync clock
	command: /usr/bin/ntpq -p


	# Set up login banners #
	- name: Enable banner in sshd_config
	lineinfile: "dest=/etc/ssh/sshd_config
	regexp='^Banner '
	line='Banner /etc/issue.net'
	state=present
	insertbefore=BOF"

	- name: Copy over /etc/issue
	template: src=/etc/issue dest=/etc/issue owner=root group=root mode=0744

	- name: Copy over /etc/issue.net
	template: src=/etc/issue.net dest=/etc/issue.net owner=root group=root mode=0744


	# Set up snmpd #
	- name: Install snmpd
	apt: name=snmpd

	# make sure local permissions will allow us to copy file
	- name: Set local permissions on snmpd.conf
	local_action: file path=/etc/snmp/snmpd.conf mode=0755

	- name: Copy over snmpd.conf
	template: src=/etc/snmp/snmpd.conf dest=/etc/snmp/snmpd.conf owner=root group=root mode=0740

	- name: Copy over /etc/default/snmpd
	template: src=/etc/default/snmpd dest=/etc/default/snmpd owner=root group=root mode=0644

	# two restarts because only doing one doesn't always work
	- name: restart snmpd
	service: name=snmpd state=restarted
	- name: restart snmpd
	service: name=snmpd state=restarted


	# SET UP rsyslog to Graylog #
	- name: Set rsyslog to log to graylog
	lineinfile: "dest=/etc/rsyslog.conf
	regexp='atlas-graylog:55516'
	line='.;mail.warn @atlas-graylog:55516'
	state=present"

	- name: Restart rsyslog
	service: name=rsyslog state=restarted


	# SET UP iptables #
	- name: Install iptables-persistent
	apt: name=iptables-persistent

	# make sure local permissions will allow us to copy file
	- name: Set local permissions on iptables IPv4 config
	local_action: file path=/etc/iptables/rules.v4 mode=0755
	- name: Set local permissions on iptables IPv6 config
	local_action: file path=/etc/iptables/rules.v6 mode=0755

	- name: Copy over IPv4 iptables rules
	template: src=/etc/iptables/rules.v4 dest=/etc/iptables/rules.v4 owner=root group=root mode=0744

	- name: Copy over IPv6 iptables rules
	template: src=/etc/iptables/rules.v6 dest=/etc/iptables/rules.v6 owner=root group=root mode=0744

	- name: Load iptables rules
	command: /usr/sbin/service netfilter-persistent reload

	# SET UP RADIUS auth #
	- name: Install libpam-radius-auth
	apt:
	deb: http://apt.internal.gofreewire.com/libpam-radius-auth_1.3.17-0ubuntu4_amd64.deb

	- name: Set local permissions on pam_radius_auth.conf
	local_action: file path=/etc/pam_radius_auth.conf mode=0755
	- name: Copy over PAM RADIUS config
	template: src=/etc/pam_radius_auth.conf dest=/etc/pam_radius_auth.conf owner=root group=root mode=0600
	- name: Copy over PAM sshd config
	template: src=/etc/pam.d/sshd dest=/etc/pam.d/sshd owner=root group=root mode=0644
	- name: Copy over PAM sudo config
	template: src=/etc/pam.d/sudo dest=/etc/pam.d/sudo owner=root group=root mode=0644

	# Restart SSH #
	- name: Restart ssh
	service: name=ssh state=restarted

	- name: Restart sshd
	service: name=sshd state=restarted

	- include: change_root_pw.yml