feat: added new roles to match daily driver desktop; full idempotency; several fixes and tweaks; re-added hosts in inventory

2023-11-19 00:00:00 +00:00 · 2023-11-19 00:00:00 +00:00 · 726b7668f9
commit 726b7668f9
parent 555fde4351
65 changed files with 10012 additions and 377 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
@ -1,29 +1,36 @@
 ---
- name: '[setup] gather facts is not already done'
+- name: '[setup] gather facts if not already done'
  setup:
    gather_subset:
      - distribution

 - name: '[ssh] hardening sshd'
-  become: yes
+  become: true
  block:
    - name: '[ssh] setup sshd_config'
      ansible.builtin.template:
        src: ../templates/openssh-server/sshd_config.j2
        dest: /etc/ssh/sshd_config
-        mode: 644
-      notify:
-        - '[ssh] restart service'
+        mode: '0644'
    - name: '[ssh] setup sshd_config.d'
      ansible.builtin.template:
        src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2
        dest: /etc/ssh/sshd_config.d/encryption.conf
-        mode: 644
-      notify:
-        - 'security : [ssh] restart service'
+        mode: '0644'
+    - name: '[ssh] remove low security keys'
+      ansible.builtin.file:
+        path: "/etc/ssh/{{ item }}"
+        state: absent
+      loop:
+        - ssh_host_ecdsa_key
+        - ssh_host_ecdsa_key.pub
+        - ssh_host_rsa_key
+        - ssh_host_rsa_key.pub
+  notify:
+    - 'security : [ssh] restart service'

 - name: '[utils] install security and audit tools'
-  become: yes
+  become: true
  ansible.builtin.apt:
    update_cache: true
    force_apt_get: true
@ -35,7 +42,7 @@
    state: present

 - name: '[system] configure rkhunter'
-  become: yes
+  become: true
  block:
    - name: '[rkhunter] create include dir'
      ansible.builtin.file:
@ -57,7 +64,7 @@
        state: present

 - name: '[system] clamav'
-  become: yes
+  become: true
  block:
    - name: '[clamav] retrieve and install clamav package'
      ansible.builtin.apt:
@ -80,35 +87,16 @@
        system: true
        state: present
    - name: '[clamav] setup directories'
-      block:
-        - name: '[clamav] ensure /etc/clamav dir exists'
-          ansible.builtin.file:
-            path: /etc/clamav
-            state: directory
-            owner: clamav
-            group: clamav
-            mode: '0750'
-        - name: '[clamav] ensure /var/lib/clamav dir exists'
-          ansible.builtin.file:
-            path: /var/lib/clamav
-            state: directory
-            owner: clamav
-            group: clamav
-            mode: '0750'
-        - name: '[clamav] ensure /var/lib/clamav/quarantine dir exists'
-          ansible.builtin.file:
-            path: /var/lib/clamav/quarantine
-            state: directory
-            owner: clamav
-            group: clamav
-            mode: '0750'
-        - name: '[clamav] ensure /var/log/clamav dir exists'
-          ansible.builtin.file:
-            path: /var/log/clamav
-            state: directory
-            owner: clamav
-            group: clamav
-            mode: '0750'
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        owner: clamav
+        group: clamav
+        mode: '0750'
+      loop:
+        - /etc/clamav
+        - /var/lib/clamav/quarantine
+        - /var/log/clamav
    - name: '[clamav] copy clamd.conf'
      ansible.builtin.template:
        src: '../templates/clamav/clamd.conf.j2'
@ -123,20 +111,16 @@
        owner: clamav
        group: clamav
        mode: '0640'
-    - name: '[clamav] setup freshclam service'
-      block:
-        - name: '[clamav] copy freshclam service file'
-          ansible.builtin.template:
-            src: '../templates/clamav/clamav-freshclam.service.j2'
-            dest: /usr/lib/systemd/system/clamav-freshclam.service
-            mode: '0644'
-    - name: '[clamav] setup clamd service'
-      block:
-        - name: '[clamav] copy clamd service file'
-          ansible.builtin.template:
-            src: '../templates/clamav/clamav-clamd.service.j2'
-            dest: /usr/lib/systemd/system/clamav-clamd.service
-            mode: '0644'
+    - name: '[clamav] copy freshclam service file'
+      ansible.builtin.template:
+        src: '../templates/clamav/clamav-freshclam.service.j2'
+        dest: /usr/lib/systemd/system/clamav-freshclam.service
+        mode: '0644'
+    - name: '[clamav] copy clamd service file'
+      ansible.builtin.template:
+        src: '../templates/clamav/clamav-clamd.service.j2'
+        dest: /usr/lib/systemd/system/clamav-clamd.service
+        mode: '0644'
    - name: '[clamav] setup cron job'
      ansible.builtin.cron:
        name: clamav full system scan
@ -152,7 +136,7 @@
    - 'security : [clamd] restart service'

 - name: '[system] hardening system'
-  become: yes
+  become: true
  block:
    - name: '[system] login.defs'
      ansible.builtin.template: