Remove the security role

.travis.yml

@@ -52,7 +52,7 @@ script:
 #  - shellcheck algo
 #  - ansible-lint deploy.yml users.yml deploy_client.yml
   - ansible-playbook deploy.yml --syntax-check
-  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
+  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
 
 after_script:
   - ./tests/update-users.sh

algo

@@ -48,12 +48,6 @@ Do you want each user to have their own account for SSH tunneling?
 ssh_tunneling_enabled=${ssh_tunneling_enabled:-n}
 if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi
 
-read -p "
-Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
-[y/N]: " -r security_enabled
-security_enabled=${security_enabled:-n}
-if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi
-
 read -p "
 Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
 [y/N]: " -r Win10_Enabled

deploy.yml

@@ -63,7 +63,6 @@
           tags: always
 
   roles:
-    - { role: security, tags: [ 'security' ] }
     - { role: dns_adblocking, tags: ['dns', 'adblock' ] }
     - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
     - { role: vpn, tags: [ 'vpn' ] }

roles/security/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart ssh
-  service: name="{{ ssh_service_name|default('ssh') }}" state=restarted
-
-- name: flush routing cache
-  shell: echo 1 > /proc/sys/net/ipv4/route/flush

roles/security/meta/main.yml

@@ -1,4 +0,0 @@
----
-
-dependencies:
-  - { role: common, tags: common }

roles/security/tasks/main.yml

@@ -1,161 +0,0 @@
----
-- block:
-    - name: Install tools
-      apt: name="{{ item }}" state=latest
-      with_items:
-        - unattended-upgrades
-
-    - name: Configure unattended-upgrades
-      template:
-        src: 50unattended-upgrades.j2
-        dest: /etc/apt/apt.conf.d/50unattended-upgrades
-        owner: root
-        group: root
-        mode: 0644
-
-    - name: Periodic upgrades configured
-      template:
-        src: 10periodic.j2
-        dest: /etc/apt/apt.conf.d/10periodic
-        owner: root
-        group: root
-        mode: 0644
-
-    - name: Find directories for minimizing access
-      stat:
-        path: "{{ item }}"
-      register: minimize_access_directories
-      with_items:
-        - '/usr/local/sbin'
-        - '/usr/local/bin'
-        - '/usr/sbin'
-        - '/usr/bin'
-        - '/sbin'
-        - '/bin'
-
-    - name: Minimize access
-      file:
-        path: '{{ item.stat.path }}'
-        mode: 'go-w'
-        recurse: yes
-      when: item.stat.isdir
-      with_items: "{{ minimize_access_directories.results }}"
-      no_log: True
-
-    - name: Change shadow ownership to root and mode to 0600
-      file:
-        dest: '/etc/shadow'
-        owner: root
-        group: root
-        mode: 0600
-
-    - name: change su-binary to only be accessible to user and group root
-      file:
-        dest: '/bin/su'
-        owner: root
-        group: root
-        mode: 0750
-
-    # Core dumps
-
-    - name: Restrict core dumps (with PAM)
-      lineinfile:
-        dest: /etc/security/limits.conf
-        line: "* hard core 0"
-        state: present
-
-    - name: Restrict core dumps (with sysctl)
-      sysctl:
-        name: fs.suid_dumpable
-        value: 0
-        ignoreerrors: yes
-        sysctl_set: yes
-        reload: yes
-        state: present
-
-    # Kernel fixes
-
-    - name: Disable Source Routed Packet Acceptance
-      sysctl:
-        name: "{{item}}"
-        value: 0
-        ignoreerrors: yes
-        sysctl_set: yes
-        reload: yes
-        state: present
-      with_items:
-        - net.ipv4.conf.all.accept_source_route
-        - net.ipv4.conf.default.accept_source_route
-      notify:
-        - flush routing cache
-
-    - name: Disable ICMP Redirect Acceptance
-      sysctl:
-        name: "{{item}}"
-        value: 0
-        ignoreerrors: yes
-        sysctl_set: yes
-        reload: yes
-        state: present
-      with_items:
-        - net.ipv4.conf.all.accept_redirects
-        - net.ipv4.conf.default.accept_redirects
-
-    - name: Disable Secure ICMP Redirect Acceptance
-      sysctl:
-        name: "{{item}}"
-        value: 0
-        ignoreerrors: yes
-        sysctl_set: yes
-        reload: yes
-        state: present
-      with_items:
-        - net.ipv4.conf.all.secure_redirects
-        - net.ipv4.conf.default.secure_redirects
-      notify:
-        - flush routing cache
-
-    - name: Enable Bad Error Message Protection
-      sysctl:
-        name: net.ipv4.icmp_ignore_bogus_error_responses
-        value: 1
-        ignoreerrors: yes
-        sysctl_set: yes
-        reload: yes
-        state: present
-      notify:
-        - flush routing cache
-
-    - name: Enable RFC-recommended Source Route Validation
-      sysctl:
-        name: "{{item}}"
-        value: 1
-        ignoreerrors: yes
-        sysctl_set: yes
-        reload: yes
-        state: present
-      with_items:
-        - net.ipv4.conf.all.rp_filter
-        - net.ipv4.conf.default.rp_filter
-      notify:
-        - flush routing cache
-
-    - name: Do not send ICMP redirects (we are not a router)
-      sysctl:
-        name: net.ipv4.conf.all.send_redirects
-        value: 0
-
-    - name: SSH config
-      template:
-        src: sshd_config.j2
-        dest: /etc/ssh/sshd_config
-        owner: root
-        group: root
-        mode: 0644
-      notify:
-        - restart ssh
-  rescue:
-    - debug: var=fail_hint
-      tags: always
-    - fail:
-      tags: always

roles/security/templates/10periodic.j2

@@ -1,4 +0,0 @@
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
-APT::Periodic::Unattended-Upgrade "1";

roles/security/templates/50unattended-upgrades.j2

@@ -1,59 +0,0 @@
-// Automatically upgrade packages from these (origin:archive) pairs
-Unattended-Upgrade::Allowed-Origins {
-    "${distro_id}:${distro_codename}-security";
-    "${distro_id}:${distro_codename}-updates";
-//  "${distro_id}:${distro_codename}-proposed";
-//  "${distro_id}:${distro_codename}-backports";
-};
-
-// List of packages to not update (regexp are supported)
-Unattended-Upgrade::Package-Blacklist {
-//  "vim";
-//  "libc6";
-//  "libc6-dev";
-//  "libc6-i686";
-};
-
-// This option allows you to control if on a unclean dpkg exit
-// unattended-upgrades will automatically run 
-//   dpkg --force-confold --configure -a
-// The default is true, to ensure updates keep getting installed
-//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
-
-// Split the upgrade into the smallest possible chunks so that
-// they can be interrupted with SIGUSR1. This makes the upgrade
-// a bit slower but it has the benefit that shutdown while a upgrade
-// is running is possible (with a small delay)
-//Unattended-Upgrade::MinimalSteps "true";
-
-// Install all unattended-upgrades when the machine is shuting down
-// instead of doing it in the background while the machine is running
-// This will (obviously) make shutdown slower
-//Unattended-Upgrade::InstallOnShutdown "true";
-
-// Send email to this address for problems or packages upgrades
-// If empty or unset then no email is sent, make sure that you
-// have a working mail setup on your system. A package that provides
-// 'mailx' must be installed. E.g. "user@example.com"
-//Unattended-Upgrade::Mail "root";
-
-// Set this value to "true" to get emails only on errors. Default
-// is to always send a mail if Unattended-Upgrade::Mail is set
-//Unattended-Upgrade::MailOnlyOnError "true";
-
-// Do automatic removal of new unused dependencies after the upgrade
-// (equivalent to apt-get autoremove)
-//Unattended-Upgrade::Remove-Unused-Dependencies "false";
-
-// Automatically reboot *WITHOUT CONFIRMATION*
-//  if the file /var/run/reboot-required is found after the upgrade 
-//Unattended-Upgrade::Automatic-Reboot "false";
-
-// If automatic reboot is enabled and needed, reboot at the specific
-// time instead of immediately
-//  Default: "now"
-//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
-
-// Use apt bandwidth limit feature, this example limits the download
-// speed to 70kb/sec
-//Acquire::http::Dl-Limit "70";

roles/security/templates/sshd_config.j2

@@ -1,51 +0,0 @@
-Port 22
-# ListenAddress ::
-# ListenAddress 0.0.0.0
-Protocol 2
-
-# LogLevel VERBOSE logs user's key fingerprint on login.
-# Needed to have a clear audit log of which keys were used to log in.
-SyslogFacility AUTH
-LogLevel VERBOSE
-
-# Use kernel sandbox mechanisms where possible
-# Systrace on OpenBSD, Seccomp on Linux, seatbelt on macOS X (Darwin), rlimit elsewhere.
-UsePrivilegeSeparation sandbox
-
-# Handy for keeping network connections alive
-TCPKeepAlive yes
-ClientAliveInterval 120
-
-# Authentication
-UsePAM yes
-PermitRootLogin without-password
-StrictModes yes
-PubkeyAuthentication yes
-AcceptEnv LANG LC_*
-
-# Turn off a lot of features
-IgnoreRhosts yes
-HostbasedAuthentication no
-PermitEmptyPasswords no
-ChallengeResponseAuthentication no
-PasswordAuthentication no
-UseDNS no
-
-# Do not enable sftp
-# If you DO enable it, use this line to log which files sftp users read/write
-# Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
-
-# This makes ansible faster
-PrintMotd no
-PrintLastLog yes
-
-# Use only modern host keys
-HostKey /etc/ssh/ssh_host_ed25519_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-
-# Use only modern ciphers
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256
-Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com
-MACs hmac-sha2-256-etm@openssh.com
-HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256
-# PubkeyAcceptedKeyTypes accept anything