jvhaarst/gist:11378466

## gistfile1.yml
# bootstrap.yml

---
- hosts: newservers
  vars:
  - ubuntu_release: raring
  - logwatch_email: <your email addy>
    # crypted passwords, generated on a Linux box using:
    # echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$6$YOURSALT")' | python -
  - root_password: ''
  - deploy_password: ''


  tasks:
  - name: Change root password
    action: user name=root password=$root_password

  - name: Update APT package cache
    action: apt update_cache=yes

  - name: Upgrade APT to the lastest packages
    action: apt upgrade=safe

  - name: Install mosh
    action: apt pkg=mosh state=installed

  - name: Install vim
    action: apt pkg=vim state=installed

  - name: Install fail2ban
    action: apt pkg=fail2ban state=installed

  - name: Add deployment user
    action: user name=deploy password=$deploy_password

  - name: Add authorized deploy key
    action: authorized_key user=deploy key='$FILE(id_rsa.pub)'

 - name: Remove sudo group rights
    action: lineinfile dest=/etc/sudoers regexp="^%sudo" state=absent

  - name: Add deploy user to sudoers
    action: lineinfile dest=/etc/sudoers regexp="deploy ALL" line="deploy ALL=(ALL) ALL" state=present

  - name: Disallow password authentication
    action: lineinfile dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
    notify: Restart ssh

  - name: Install unattended-upgrades
    action: apt pkg=unattended-upgrades state=present

  - name: Adjust APT update intervals
    action: copy src=config/apt_periodic dest=/etc/apt/apt.conf.d/10periodic

  - name: Make sure unattended-upgrades only installs from $ubuntu_release-security
    action: lineinfile dest=/etc/apt/apt.conf.d/50unattended-upgrades regexp="$ubuntu_release-updates" state=absent

  - name: Copy debconf selections so that Postfix can configure itself non-interactively
    copy: src=config/postfix_selections  dest=/tmp/postfix_selections

  - name: Set up Postfix to relay mail
    action: command debconf-set-selections /tmp/postfix_selections

  - name: Install logwatch
    action: apt pkg=logwatch state=installed

  - name: Make logwatch mail $logwatch_email daily
    action: lineinfile dest=/etc/cron.daily/00logwatch regexp="^/usr/sbin/logwatch" line="/usr/sbin/logwatch --output mail --mailto $logwatch_email --detail high" state=present create=yes

  - name: Setup ufw
    action: shell ufw allow 22/tcp

  - name: Setup ufw
    action: shell ufw allow 443/tcp

  - name: Setup ufw
    action: shell ufw allow 60023/udp

  - name: Enable ufw
    action: shell echo 'y' | ufw enable

  - name: Disallow root SSH access
    action: lineinfile dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin no" state=present
    notify: Restart ssh

  handlers:
  - name: Restart ssh
    action: service name=ssh state=restarted
	# bootstrap.yml

	---
	- hosts: newservers
	vars:
	- ubuntu_release: raring
	- logwatch_email: <your email addy>
	# crypted passwords, generated on a Linux box using:
	# echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$6$YOURSALT")' \| python -
	- root_password: ''
	- deploy_password: ''


	tasks:
	- name: Change root password
	action: user name=root password=$root_password

	- name: Update APT package cache
	action: apt update_cache=yes

	- name: Upgrade APT to the lastest packages
	action: apt upgrade=safe

	- name: Install mosh
	action: apt pkg=mosh state=installed

	- name: Install vim
	action: apt pkg=vim state=installed

	- name: Install fail2ban
	action: apt pkg=fail2ban state=installed

	- name: Add deployment user
	action: user name=deploy password=$deploy_password

	- name: Add authorized deploy key
	action: authorized_key user=deploy key='$FILE(id_rsa.pub)'

	- name: Remove sudo group rights
	action: lineinfile dest=/etc/sudoers regexp="^%sudo" state=absent

	- name: Add deploy user to sudoers
	action: lineinfile dest=/etc/sudoers regexp="deploy ALL" line="deploy ALL=(ALL) ALL" state=present

	- name: Disallow password authentication
	action: lineinfile dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
	notify: Restart ssh

	- name: Install unattended-upgrades
	action: apt pkg=unattended-upgrades state=present

	- name: Adjust APT update intervals
	action: copy src=config/apt_periodic dest=/etc/apt/apt.conf.d/10periodic

	- name: Make sure unattended-upgrades only installs from $ubuntu_release-security
	action: lineinfile dest=/etc/apt/apt.conf.d/50unattended-upgrades regexp="$ubuntu_release-updates" state=absent

	- name: Copy debconf selections so that Postfix can configure itself non-interactively
	copy: src=config/postfix_selections dest=/tmp/postfix_selections

	- name: Set up Postfix to relay mail
	action: command debconf-set-selections /tmp/postfix_selections

	- name: Install logwatch
	action: apt pkg=logwatch state=installed

	- name: Make logwatch mail $logwatch_email daily
	action: lineinfile dest=/etc/cron.daily/00logwatch regexp="^/usr/sbin/logwatch" line="/usr/sbin/logwatch --output mail --mailto $logwatch_email --detail high" state=present create=yes

	- name: Setup ufw
	action: shell ufw allow 22/tcp

	- name: Setup ufw
	action: shell ufw allow 443/tcp

	- name: Setup ufw
	action: shell ufw allow 60023/udp

	- name: Enable ufw
	action: shell echo 'y' \| ufw enable

	- name: Disallow root SSH access
	action: lineinfile dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin no" state=present
	notify: Restart ssh

	handlers:
	- name: Restart ssh
	action: service name=ssh state=restarted