From 07ddb5863b265ce15ebf74ce7638c2ef981a9181 Mon Sep 17 00:00:00 2001 From: Ruben Jongejan Date: Mon, 8 May 2017 22:34:24 +0200 Subject: [PATCH] improved readability with native yaml (#530) --- roles/dns_adblocking/tasks/main.yml | 16 ++++- roles/dns_adblocking/tasks/ubuntu.yml | 18 ++++- roles/security/tasks/main.yml | 95 ++++++++++++++++++++++---- roles/ssh_tunneling/tasks/main.yml | 15 ++-- roles/vpn/tasks/freebsd.yml | 11 +-- roles/vpn/tasks/ipec_configuration.yml | 6 +- roles/vpn/tasks/iptables.yml | 14 +++- roles/vpn/tasks/main.yml | 3 +- roles/vpn/tasks/ubuntu-hacks.yml | 8 ++- roles/vpn/tasks/ubuntu.yml | 17 ++++- 10 files changed, 164 insertions(+), 39 deletions(-) diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index 996443f..7e85e0e 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -21,12 +21,19 @@ when: ansible_distribution == 'FreeBSD' - name: Dnsmasq configured - template: src=dnsmasq.conf.j2 dest="{{ config_prefix|default('/') }}etc/dnsmasq.conf" + template: + src: dnsmasq.conf.j2 + dest: "{{ config_prefix|default('/') }}etc/dnsmasq.conf" notify: - restart dnsmasq - name: Adblock script created - template: src=adblock.sh dest=/usr/local/sbin/adblock.sh owner=root group="{{ root_group|default('root') }}" mode=0755 + template: + src: adblock.sh + dest: /usr/local/sbin/adblock.sh + owner: root + group: "{{ root_group|default('root') }}" + mode: 0755 - name: Adblock script added to cron cron: @@ -43,7 +50,10 @@ - meta: flush_handlers - name: Dnsmasq enabled and started - service: name=dnsmasq state=started enabled=yes + service: + name: dnsmasq + state: started + enabled: yes rescue: - debug: var=fail_hint tags: always diff --git a/roles/dns_adblocking/tasks/ubuntu.yml b/roles/dns_adblocking/tasks/ubuntu.yml index f0ffb91..8e4cf3d 100644 --- a/roles/dns_adblocking/tasks/ubuntu.yml +++ b/roles/dns_adblocking/tasks/ubuntu.yml @@ -1,7 +1,12 @@ --- - name: Ubuntu | Dnsmasq profile for apparmor configured - template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600 + template: + src: usr.sbin.dnsmasq.j2 + dest: /etc/apparmor.d/usr.sbin.dnsmasq + owner: root + group: root + mode: 0600 when: apparmor_enabled is defined and apparmor_enabled == true notify: - restart dnsmasq @@ -12,10 +17,17 @@ tags: ['apparmor'] - name: Ubuntu | Ensure that the dnsmasq service directory exist - file: path=/etc/systemd/system/dnsmasq.service.d/ state=directory mode=0755 owner=root group=root + file: + path: /etc/systemd/system/dnsmasq.service.d/ + state: directory + mode: 0755 + owner: root + group: root - name: Ubuntu | Setup the cgroup limitations for the ipsec daemon - template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf + template: + src: 100-CustomLimitations.conf.j2 + dest: /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf notify: - daemon-reload - restart dnsmasq diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 657e0c1..4289ad1 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -6,10 +6,20 @@ - unattended-upgrades - name: Configure unattended-upgrades - template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644 + template: + src: 50unattended-upgrades.j2 + dest: /etc/apt/apt.conf.d/50unattended-upgrades + owner: root + group: root + mode: 0644 - name: Periodic upgrades configured - template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 + template: + src: 10periodic.j2 + dest: /etc/apt/apt.conf.d/10periodic + owner: root + group: root + mode: 0644 - name: Find directories for minimizing access stat: @@ -24,16 +34,27 @@ - '/bin' - name: Minimize access - file: path='{{ item.stat.path }}' mode='go-w' recurse=yes + file: + path: '{{ item.stat.path }}' + mode: 'go-w' + recurse: yes when: item.stat.isdir with_items: "{{ minimize_access_directories.results }}" no_log: True - name: Change shadow ownership to root and mode to 0600 - file: dest='/etc/shadow' owner=root group=root mode=0600 + file: + dest: '/etc/shadow' + owner: root + group: root + mode: 0600 - name: change su-binary to only be accessible to user and group root - file: dest='/bin/su' owner=root group=root mode=0750 + file: + dest: '/bin/su' + owner: root + group: root + mode: 0750 - name: Collect Use of privileged commands shell: > @@ -45,15 +66,30 @@ # Core dumps - name: Restrict core dumps (with PAM) - lineinfile: dest=/etc/security/limits.conf line="* hard core 0" state=present + lineinfile: + dest: /etc/security/limits.conf + line: "* hard core 0" + state: present - name: Restrict core dumps (with sysctl) - sysctl: name=fs.suid_dumpable value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present + sysctl: + name: fs.suid_dumpable + value: 0 + ignoreerrors: yes + sysctl_set: yes + reload: yes + state: present # Kernel fixes - name: Disable Source Routed Packet Acceptance - sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present + sysctl: + name: "{{item}}" + value: 0 + ignoreerrors: yes + sysctl_set: yes + reload: yes + state: present with_items: - net.ipv4.conf.all.accept_source_route - net.ipv4.conf.default.accept_source_route @@ -61,13 +97,25 @@ - flush routing cache - name: Disable ICMP Redirect Acceptance - sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present + sysctl: + name: "{{item}}" + value: 0 + ignoreerrors: yes + sysctl_set: yes + reload: yes + state: present with_items: - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - name: Disable Secure ICMP Redirect Acceptance - sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present + sysctl: + name: "{{item}}" + value: 0 + ignoreerrors: yes + sysctl_set: yes + reload: yes + state: present with_items: - net.ipv4.conf.all.secure_redirects - net.ipv4.conf.default.secure_redirects @@ -75,12 +123,24 @@ - flush routing cache - name: Enable Bad Error Message Protection - sysctl: name=net.ipv4.icmp_ignore_bogus_error_responses value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present + sysctl: + name: net.ipv4.icmp_ignore_bogus_error_responses + value: 1 + ignoreerrors: yes + sysctl_set: yes + reload: yes + state: present notify: - flush routing cache - name: Enable RFC-recommended Source Route Validation - sysctl: name="{{item}}" value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present + sysctl: + name: "{{item}}" + value: 1 + ignoreerrors: yes + sysctl_set: yes + reload: yes + state: present with_items: - net.ipv4.conf.all.rp_filter - net.ipv4.conf.default.rp_filter @@ -88,10 +148,17 @@ - flush routing cache - name: Do not send ICMP redirects (we are not a router) - sysctl: name=net.ipv4.conf.all.send_redirects value=0 + sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 - name: SSH config - template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0644 notify: - restart ssh rescue: diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 8d1b3a3..90ff26f 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -18,7 +18,12 @@ group: name=algo state=present - name: Ensure that the jail directory exist - file: path=/var/jail/ state=directory mode=0755 owner=root group="{{ root_group|default('root') }}" + file: + path: /var/jail/ + state: directory + mode: 0755 + owner: root + group: "{{ root_group|default('root') }}" - name: Ensure that the SSH users exist user: @@ -46,12 +51,14 @@ with_items: "{{ users }}" - name: Generate SSH fingerprints - shell: > - ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null + shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null register: ssh_fingerprints - name: Fetch users SSH private keys - fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes + fetch: + src: '/var/jail/{{ item }}/.ssh/id_ecdsa' + dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem + flat: yes with_items: "{{ users }}" - name: Change mode for SSH private keys diff --git a/roles/vpn/tasks/freebsd.yml b/roles/vpn/tasks/freebsd.yml index 8964faa..1dbecd5 100644 --- a/roles/vpn/tasks/freebsd.yml +++ b/roles/vpn/tasks/freebsd.yml @@ -15,8 +15,7 @@ - "crypto" - name: FreeBSD / HardenedBSD | Make the kernel config - shell: > - sysctl -b kern.conftxt > /tmp/IPSEC + shell: sysctl -b kern.conftxt > /tmp/IPSEC when: rebuild_needed is defined and rebuild_needed == true - name: FreeBSD / HardenedBSD | Ensure the all options are enabled @@ -100,8 +99,7 @@ msg: "Something went wrong. Check the debug output above." - name: FreeBSD / HardenedBSD | Reboot - shell: > - sleep 2 && shutdown -r now + shell: sleep 2 && shutdown -r now args: executable: /usr/local/bin/bash when: rebuild_needed is defined and rebuild_needed == true @@ -110,4 +108,7 @@ ignore_errors: true - name: FreeBSD / HardenedBSD | Enable strongswan - lineinfile: dest=/etc/rc.conf regexp=^strongswan_enable= line='strongswan_enable="YES"' + lineinfile: + dest: /etc/rc.conf + regexp: ^strongswan_enable= + line: 'strongswan_enable="YES"' diff --git a/roles/vpn/tasks/ipec_configuration.yml b/roles/vpn/tasks/ipec_configuration.yml index a6b1530..cc7c21e 100644 --- a/roles/vpn/tasks/ipec_configuration.yml +++ b/roles/vpn/tasks/ipec_configuration.yml @@ -32,7 +32,11 @@ register: strongswan_plugins - name: Disable unneeded plugins - lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = no' state=present + lineinfile: + dest: "{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" + regexp: '.*load.*' + line: 'load = no' + state: present notify: - restart strongswan when: item not in strongswan_enabled_plugins and item not in strongswan_additional_plugins diff --git a/roles/vpn/tasks/iptables.yml b/roles/vpn/tasks/iptables.yml index fc065c3..251335d 100644 --- a/roles/vpn/tasks/iptables.yml +++ b/roles/vpn/tasks/iptables.yml @@ -1,14 +1,24 @@ --- - name: Iptables configured - template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: 0640 with_items: - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } notify: - restart iptables - name: Iptables configured - template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: 0640 when: ipv6_support is defined and ipv6_support == true with_items: - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 5e26ac5..d250caf 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -16,8 +16,7 @@ package: name=strongswan state=present - name: Get StrongSwan versions - shell: > - ipsec --versioncode | grep -oE "^U([0-9]*|\.)*" | sed "s/^U\|\.//g" + shell: ipsec --versioncode | grep -oE "^U([0-9]*|\.)*" | sed "s/^U\|\.//g" register: strongswan_version - include: ipec_configuration.yml diff --git a/roles/vpn/tasks/ubuntu-hacks.yml b/roles/vpn/tasks/ubuntu-hacks.yml index fbe2cbc..a64b754 100644 --- a/roles/vpn/tasks/ubuntu-hacks.yml +++ b/roles/vpn/tasks/ubuntu-hacks.yml @@ -1,10 +1,14 @@ --- - name: Configure apt to use the Xenial release by default - template: src=01_xenial_aptconf.j2 dest=/etc/apt/apt.conf.d/01xenial + template: + src: 01_xenial_aptconf.j2 + dest: /etc/apt/apt.conf.d/01xenial - name: Configure packages preferences - template: src=01_strongswan.pref.j2 dest=/etc/apt/preferences.d/01_strongswan.pref + template: + src: 01_strongswan.pref.j2 + dest: /etc/apt/preferences.d/01_strongswan.pref - name: Configure the Ubuntu Zesty repository apt_repository: diff --git a/roles/vpn/tasks/ubuntu.yml b/roles/vpn/tasks/ubuntu.yml index 971d905..db046ad 100644 --- a/roles/vpn/tasks/ubuntu.yml +++ b/roles/vpn/tasks/ubuntu.yml @@ -7,7 +7,11 @@ when: ansible_distribution_version == "16.04" - name: Ubuntu | Install strongSwan - apt: name=strongswan state=latest update_cache=yes install_recommends=yes + apt: + name: strongswan + state: latest + update_cache: yes + install_recommends: yes - name: Ubuntu | Enforcing ipsec with apparmor shell: aa-enforce "{{ item }}" @@ -28,10 +32,17 @@ - netfilter-persistent - name: Ubuntu | Ensure that the strongswan service directory exist - file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755 owner=root group=root + file: + path: /etc/systemd/system/strongswan.service.d/ + state: directory + mode: 0755 + owner: root + group: root - name: Ubuntu | Setup the cgroup limitations for the ipsec daemon - template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf + template: + src: 100-CustomLimitations.conf.j2 + dest: /etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf notify: - daemon-reload - restart strongswan