- name: Set locale lineinfile: path: /etc/locale.gen line: en_US.UTF-8 UTF-8 state: present create: yes notify: - locale gen - update locale - name: Set timezone to America/Denver file: src: /usr/share/zoneinfo/America/Denver dest: /etc/localtime state: link force: yes owner: root group: root notify: restart cron # Set up iptables - name: Configure iptables include_role: name: mikegleasonjr.firewall - name: Set up APT apt_repository: repo: "{{ item }}" state: present with_items: - deb http://mirrors.kernel.org/debian/ buster main - deb http://mirrors.kernel.org/debian/ buster-updates main - deb http://security.debian.org/ buster/updates main #- deb http://mirrors.kernel.org/debian/ buster-backports main # Make apt use IPv4 - name: Make apt use IPv4 lineinfile: path: /etc/apt/apt.conf.d/99force-ipv4 line: 'Acquire::ForceIPv4 "true";' state: present insertafter: EOF create: yes # Upgrade server - name: Upgrade server apt: upgrade: dist dpkg_options: 'force-confdef,force-confnew' update_cache: yes - name: Install utilities apt: name: "{{ item }}" dpkg_options: 'force-confdef,force-confnew' update_cache: yes with_items: - apt-transport-https #- bind9-host - bzip2 - ca-certificates - colordiff - curl - debian-archive-keyring - exuberant-ctags - git - less - locales - lsb-release - man-db - manpages - molly-guard - net-tools - ntp - openssh-server - python3 - rsync - telnet - traceroute - vim - vim-scripts # Small user tweaks - name: Update vimrc lineinfile: path: ~/.vimrc line: ':syntax on' state: present insertafter: EOF create: yes - name: Update .bashrc lineinfile: path: /root/.bashrc line: 'export EDITOR=vi' state: present insertafter: EOF create: yes # XXX Passwordless sudo XXX Ya, probably remove - name: Passwordless sudo lineinfile: path: /etc/sudoers regexp: '^%sudo[\t]ALL=\(ALL:ALL\) ALL' line: '%sudo ALL=(ALL) NOPASSWD: ALL' state: present # SSH Config - name: SSH Configuration lineinfile: path: /etc/ssh/sshd_config regexp: '{{ item.find }}' line: '{{ item.replace }}' state: present with_items: - {find: '^.*PermitRootLogin.*', replace: 'PermitRootLogin no'} - {find: '^.*PasswordAuthentication.*', replace: 'PasswordAuthentication no'} - {find: '^.*RSAAuthentication.*', replace: 'RSAAuthentication no'} - {find: '^.*X11Forwarding.*', replace: 'X11Forwarding no'} notify: - restart ssh - name: Adding SSH configuration to the end of file blockinfile: path: /etc/ssh/sshd_config state: present block: | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr AllowUsers jebba notify: - restart ssh # Startup XXX disable as unneeded # To disable additional services # Add more "- service_name" lines as needed - name: Disabling unneeded services service: name: "{{ item }}" enabled: no with_items: - rsync # Disable IPv6 in Grub - name: Disabling IPv6 in Grub lineinfile: path: /etc/default/grub regexp: '{{ item.find }}' line: '{{ item.replace }}' state: present with_items: - { find: '^.*?GRUB_TIMEOUT=.*', replace: 'GRUB_TIMEOUT=1'} - { find: '^.*?GRUB_CMDLINE_LINUX=.*', replace: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'} - { find: '^.*?GRUB_TERMINAL=.*', replace: 'GRUB_TERMINAL=console'} notify: - update grub - name: Disable IPv6 in modprobe ipv6 conf file lineinfile: path: /etc/modprobe.d/ipv6.conf line: 'blacklist ipv6' state: present insertafter: EOF create: yes - name: Disable IPv6 in modprobe aliases conf file blockinfile: path: /etc/modprobe.d/aliases.conf block: | alias net-pf-10 off alias ivp6 off insertafter: EOF state: present create: yes - name: Disable IPv6 with sysctl blockinfile: path: /etc/sysctl.conf block: | net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 insertafter: EOF state: present notify: - sysctl