ubuntu.yml

# Basic Ubuntu machine setup.
#
# Note, since 16.04 Ubuntu no longer includes Python 2.x by default. Thus,
# the --extra-vars options is used to force Ansible using Python 3.
#
# Usage:
#
# 1. $ ansible-playbook ansible/roles/ubuntu.yml -i aaa.bbb.ccc.ddd, --ask-pass --extra-vars "ansible_python_interpreter=/usr/bin/python3" --extra-vars "user_name=whatever"
# 2. $ ssh aaa.bbb.ccc.ddd
# 3. Install dotfiles!
---
- hosts: all
  remote_user: root
  vars:
    user: "{{ user_name | default(lookup('env', 'USER')) }}"
  vars_prompt:
    - name: "password"
      prompt: "password for the remote user to set (when user does not exist yet)"
      private: yes
      encrypt: "sha512_crypt" # need to have python-passlib installed in local machine before we can use it ('pip install passlib')
      confirm: yes
      salt_size: 7
  tasks:
    - name: update/upgrade apt
      apt: upgrade=dist update_cache=yes

    - name: add primary user
      user: name={{ user }} shell=/bin/bash groups=sudo append=yes password={{ password }}

    - name: upload primary user ssh public key
      authorized_key: user={{ user }} key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

    - name: disable root ssh login, disallow password authentication (and other sshd_config tweaks)
      lineinfile: dest=/etc/ssh/sshd_config state={{ item.state }} line="{{ item.line }}" regexp="{{ item.regexp }}"
      with_items:
        - { state: present, line: "PermitRootLogin no", regexp: "^PermitRootLogin" }
        - { state: present, line: "PasswordAuthentication no", regexp: "^PasswordAuthentication" }
        - { state: present, line: "ChallengeResponseAuthentication no", regexp: "^ChallengeResponseAuthentication" }
        - { state: present, line: "UseDNS no", regexp: "^UseDNS" }
        - { state: present, line: "AllowUsers {{ user }}" ,regexp: "^AllowUsers" }
      notify:
        - reload ssh

    - name: Enable SSH Agent forwarding for sudo
      lineinfile: >
        dest=/etc/sudoers
        state=present
        insertafter='^Defaults'
        line='Defaults	env_keep+=SSH_AUTH_SOCK'
        validate='visudo -cf %s'

    - name: Install packages
      apt: "pkg={{ item }} state=present"
      with_items:
        - curl
        - fail2ban
        - mosh
        - unattended-upgrades

    - name: enable automatic security updates
      copy: >
        src=20auto-upgrades
        dest=/etc/apt/apt.conf.d/20auto-upgrades
        owner=root
        group=root
        mode=0644

    - name: check if /etc/cron.daily/apt.disabled exists
      stat: path=/etc/cron.daily/apt.disabled
      register: daily_apt_disabled

    - name: fix disabled daily apt cron
      command: >
        mv /etc/cron.daily/apt.disabled /etc/cron.daily/apt
        creates=/etc/cron.daily/apt
      when: daily_apt_disabled.stat.exists

    - name: check if .dotfiles already installed
      stat: path=/home/{{ user }}/.bashrc
      register: user_bashrc

    - name: sent mail on root login
      lineinfile:
        dest: /root/.bashrc
        state: present
        line: '[ -x /usr/bin/mail ] && echo -e "Host: `hostname -f`\\n`date`\\n\\nWho:\\n`who`" | mail -s "ALERT - Root Shell Access on `hostname -f` from `who | cut -d"(" -f2 | cut -d")" -f1 | tr "\\n" " "`" root'
        regexp: ^\[\ \-x\ \/usr\/bin\/mail\ \]

  handlers:
    - name: reload ssh
      service: name=ssh state=restarted