dtomlinson/ansible_linux_setup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

moving files to old

Browse Source
This commit is contained in:
Daniel Tomlinson
2021-02-28 23:19:04 +00:00
parent 63657fbe47
commit 86d3a9a0ec
28 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
old/roles/common/handlers/main.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: restart ntp
service:
name: ntp
state: restarted
- name: restart cron
service:
name: cron
state: restarted
- name: restart fail2ban
service:
name: fail2ban
state: restarted
- name: restart exim4
service:
name: exim4
state: restarted

95
old/roles/common/tasks/main.yml Normal file
View File

@@ -0,0 +1,95 @@
---
- name: Upgrade packages
apt:
upgrade: full
- name: Install packages
apt:
name: "{{packages_to_install}}"
state: present
update_cache: yes
allow_unauthenticated: yes
- name: Install mozilla/sops
get_url:
url: https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux
dest: /usr/bin/sops
mode: "0755"
owner: root
group: root
- name: Enable dm_crypt module
modprobe:
name: dm_crypt
state: present
- name: Enable compress on logrotate
lineinfile:
dest: /etc/logrotate.conf
regexp: "^#?compress"
line: "compress"
state: present
# - name: Send logcheck results to right email address
# lineinfile:
# dest: /etc/logcheck/logcheck.conf
# regexp: "^#?SENDMAILTO="
# line: "SENDMAILTO=\"{{dot_forward_email}}\""
# state: present
# - name: Copy local logcheck ignore rules
# copy:
# src: templates/local-rules
# dest: /etc/logcheck/ignore.d.server/local-rules
# owner: root
# group: logcheck
# mode: u=rw,g=r,o=r
- name: Configure timezone
timezone:
name: "{{timezone}}"
- name: Configure ntp client and restart it
template:
src: ntp.conf.j2
dest: /etc/ntp.conf
notify:
- restart ntp
- restart cron
- name: Set up exim4 conf
template:
src: update-exim4.conf.conf.j2
dest: /etc/exim4/update-exim4.conf.conf
owner: root
group: root
mode: 0644
- name: Set up exim4 password file
template:
src: passwd.client.j2
dest: /etc/exim4/passwd.client
owner: root
group: Debian-exim
mode: 0640
- name: Set up exim4 localmacros
template:
src: exim4.conf.localmacros.j2
dest: /etc/exim4/exim4.conf.localmacros
owner: root
group: root
mode: 0644
notify: restart exim4
- name: Make fail2ban work with ufw
lineinfile:
dest: "{{item}}"
regexp: "^banaction"
line: "banaction = ufw"
state: present
with_items:
- /etc/fail2ban/jail.conf
- /etc/fail2ban/jail.local
notify:
- restart fail2ban

1
old/roles/common/templates/exim4.conf.localmacros.j2 Normal file
View File

@@ -0,0 +1 @@
AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = 1

241
old/roles/common/templates/local-rules Normal file
View File

@@ -0,0 +1,241 @@
#Avahi daemon casues a lot of spam. Add rules for the following type of messages;
#Feb 7 19:15:47 alias avahi-daemon[772]: Invalid query packet.
#Feb 7 19:16:51 alias avahi-daemon[772]: last message repeated 5 times
#Feb 7 19:35:46 alias avahi-daemon[772]: Invalid response packet from host 130.89.170.253.
#Note that the next rule is ugly, but i'm not sure how to filter it otherwise (except stopping rsyslog from summaryzing)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: last message repeated [0-9]+ time(s)?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid query packet.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid response packet from host [[:alnum:]:.]+.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Received response from host [[:alnum:].]+ with invalid source port [0-9]+ on interface '[[:alnum:]:.]+'$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Registering new address record for [:0-9a-f]+ on [[:alnum:]]+\.\*.$
#Remove like:
#Feb 8 16:55:24 alias avahi-daemon[908]: Received response from host 130.89.164.246 with invalid source port 52031 on interface 'eth0.0'
#Feb 8 16:55:23 alias avahi-daemon[908]: Invalid legacy unicast query packet.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid legacy unicast query packet.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Received response with invalid source port [0-9]+ on interface '[[:alnum:].]+'$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid response packet.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]:.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron-apt: Get:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron-apt: The following package was automatically installed and is no longer required:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron-apt: Use 'apt-get autoremove' to remove it\.
# Process accounting resumed
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] Process accounting resumed$
# perf samples too long (KVM/X58/5 series chipset issue)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] perf samples too long \([0-9]{3,5} > [0-9]{3,5}\), lowering kernel\.perf_event_max_sample_rate to [0-9]{3,5}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] perf interrupt took too long \([0-9]{3,5} > [0-9]{3,5}\), lowering kernel\.perf_event_max_sample_rate to [0-9]{3,5}$
# ext4 remounts
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] EXT4-fs \([a-zA-Z]{2,3}-[0-9]{1,2}\): re-mounted\. Opts: \(null\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[\.0-9]+\] list passed to list_sort\(\) too long for efficiency$
#Lines zoals:
#Feb 6 17:21:26 alias ntpd[1030]: clock is now synced
#Feb 6 17:39:54 alias ntpd[1030]: clock is now unsynced
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: clock is now synced$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: clock is now unsynced$
#Allow NTPD to make small adjustments to the local clock without spam
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: adjusting local clock by (-)?[0-9].[0-9]+s$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: adjusting clock frequency by (-)?[0-9]\.[0-9]+ to (-)?[0-9]{0,2}\.[0-9]+ppm$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: skew change (-)?[0-9]+.[0-9]+ exceeds limit$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: peer [[:alnum:]:\.]{7,39} now (valid|invalid)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: reply from [[:alnum:]:\.]{7,39}: not synced( \(alarm\))?, next query [0-9]+s$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: reply from [[:alnum:]:\.]{7,39}: negative delay -0\.[0-9]+(, next query [0-9]+s)?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: (message repeated [0-9]{1,3} times: \[ )?sendto: Network is unreachable(\])$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: peers refreshed$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: new interface\(s\) found: waking up resolver$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: Listen normally on [0-9]+ (eth|br)[0-9]+ [[:alnum:]:\.]{7,39} UDP [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: [[:alnum:]:\.]{7,39} interface [[:alnum:]:\.]{7,39} -> ([[:alnum:]:\.]{7,39}|\(none\))$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd[[0-9]+]: Deleting interface \#[0-9]+ [[:alnum:]]{3,4}, [[:alnum:]:\.]{7,39}#[0-9]+, interface stats: received=[0-9]+, sent=[0-9=}, dropped=[0-9]+, active_time=[0-9]+ secs$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: [[:alnum:]]+: replace: header
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/pipe\[[[:digit:]]+\]:.+delivered via omvnotificationfilter service.+$
#Ignore UDP connects to public community on localhost
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snmpd\[[0-9]+\]: Connection from UDP: \[127.0.0.1\]->\[127.0.0.1\]:-[0-9]+$
# Logcheck rules for systemd, organized by component.
# Automount
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Set up|Unset) automount .+\.$
# Busname & Socket
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Closed|Listening on) .+\.$
# Device
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Expecting device [^[:space:]]+\.device\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Found device [^[:space:]]+\.$
# Device
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Successfully loaded the IMA custom policy [^[:space:]]+\.$
# Job & Service & Unit
# FIXME: Don't want to match "Stopped \(with error\) .+\.$"
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Started|Stopped|Reloaded) .+\.$
# FIXME: Don't want to match "Starting of .+ not supported\.$"
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Stopping|Reloading) .+\.$
# Log
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd(-[^[:space:]]+)?\[[[:digit:]]+\]: Received SIG[^[:space:]]+( from PID [[:digit:]]+ \([^[:space:]]+\))?\.$
# Main
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Reexecuting|Reloading|Shutting down|Switching root)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Detected architecture [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Detected virtualization [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: RTC configured in localtime, applying delta of -?[[:digit:]]+ minutes to system time\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Running in initial RAM disk\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: systemd [[:digit:]]+ running in (test )?system mode. \((\+[[:alnum:]]+ ?)+\)$
# Manager
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Startup finished in [[:digit:]]+ms\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Time has been changed$
# Mount
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Mounted|Unmounted) .+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Mounting .+\.\.\.$
# PAM
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [^[:space:]]+( by \(uid=[[:digit:]]+\))?$
# SELinux
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Successfully loaded SELinux policy in [^[:space:]]+\.$
# Smack
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Successfully loaded Smack(/CIPSO)? policies\.$
# Slice
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Created|Removed) slice User Slice of .+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Created|Removed) slice [^[:space:]]+\.slice\.$
# Swap
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Activated|Deactivated) swap .+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Activating swap .+\.\.\.$
# Target
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Reached|Stopped) target .+\.$
# Unit
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [^[:space:]]+: Unit is bound to inactive unit [^[:space:]]+\. Stopping, too\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [^[:space:]]+: Unit not needed anymore\. Stopping\.$
# systemd-journald
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journald\[[[:digit:]]+\]: Received request to (flush|rotate) runtime journal from PID [[:digit:]]+$
# systemd-logind
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [^[:space:]]+ of user [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [^[:space:]]+\.$
# systemd-sleep
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-sleep\[[[:digit:]]+\]: Suspending system\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-sleep\[[[:digit:]]+\]: System resumed\.$
# systemd-timesyncd
# Note: Only required for systemd 218 and earlier due to
# https://bugs.freedesktop.org/show_bug.cgi?id=88926
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: interval/delta/delay/jitter/drift [[:digit:]]+s/(\+|-)[.[:digit:]]+s/-?[.[:digit:]]+s/-?[.[:digit:]]+s/(\+|-)[[:digit:]]+ppm( \(ignored\))?$
# /etc/logcheck/ignore.d.server/local-rules
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[. [:digit:]]+\] perf samples too long \([[:digit:]]+ > [0-9]+\), lowering kernel.perf_event_max_sample_rate to [[:digit:]]+$
ntpd\[[0-9]+\]: adjusting clock frequency by [0-9]+\.[0-9]+ to [0-9]+\.[0-9]+ppm
ntpd\[[0-9]+\]: adjusting clock frequency by [0-9]+\.[0-9]+ to -[0-9]+\.[0-9]+ppm
ntpd\[[0-9]+\]: adjusting clock frequency by -[0-9]+\.[0-9]+ to [0-9]+\.[0-9]+ppm
ntpd\[[0-9]+\]: adjusting clock frequency by -[0-9]+\.[0-9]+ to -[0-9]+\.[0-9]+ppm
ntpd\[[0-9]+\]: adjusting local clock by [-]*[0-9]+\.[0-9]+s
ntpd\[[0-9]+\]: bad peer from pool [0-9]+.debian.pool.ntp.org
ntpd\[[0-9]+\]: Soliciting pool server
ntpd\[[0-9]+\]: [0-9]+ out of [0-9]+ peers valid
ntpd\[[0-9]+\]: reply from [\.0-9]+: not synced, next query [0-9]+s
auditd\[[0-9]+\]: Audit daemon rotating log files
kernel\[[0-9]+\]: \[[0-9]+\.[0-9]+\] INFO: NMI handler (perf_event_nmi_handler) took too long to run: [0-9]+.[0-9]+ msecs
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[. [:digit:]]+\] hrtimer: interrupt took [[:digit:]]+ ns$
rrdcached\[[0-9]+\]: Received FLUSHALL
rrdcached\[[0-9]+\]: flushing old values
rrdcached\[[0-9]+\]: removing old journal /var/lib/rrdcached/journal/rrd.journal.[0-9]+\.[0-9]+
rrdcached\[[0-9]+\]: rotating journals
rrdcached\[[0-9]+\]: started new journal /var/lib/rrdcached/journal/rrd.journal.[0-9]+\.[0-9]+
systemd-logind\[[0-9]+\]: New session c[0-9]+ of user nobody.
systemd-logind\[[0-9]+\]: New session [0-9]+ of user vagrant.
systemd-logind\[[0-9]+\]: Removed session [0-9]+.
systemd-logind\[[0-9]+\]: Removed session c[0-9]+.
## suppress issues that arise with publicly available services that people try to exploit. https://gist.github.com/towo/9600375
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ::ffff:[\.0-9]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]$
#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]* from ([:.[:xdigit:]]+|UNKNOWN)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: invalid public DH value: <= 1 \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: bad client public DH value \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \([[:alpha:]]+,ssh-connection\) -> \([[:alpha:]]+,ssh-connection\) \[preauth\]$
#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [\.0-9]+: 11: Bye Bye \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: Goodbye \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: PECL/ssh2 \(http://pecl.php.net/packages/ssh2\) \[preauth\]$
##
##dhclient\[[[:digit:]]+\]: DHCPREQUEST of [\.0-9]+ on eth0 to [\.0-9]+ port [0-9]+ (xid=0x[0-9a-f]+)
#dhclient\[[0-9]+\]: DHCPREQUEST of [\.0-9]+ on eth0 to [\.0-9]+ port [0-9]+ (xid=0x[0-9a-f]+)
sh\[[0-9]+\]: Generated new chapter thumbnails for
sh\[[0-9]+\]: Warning: strange ID3v2 tag in
sh\[[0-9]+\]: __code__:699: FutureWarning: The behavior of this method will change in future versions. Use specific 'len\(elem\)' or 'elem is not None' test instead.
sh\[[0-9]+\]: self.processTRCK\( self.frameId, self.frameFlags, self.data \)
sh\[[0-9]+\]: Got nothing for: Series None None
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Del
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Calculating upgrade\.\.\.
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT LINE:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd-[0-9]+: action 'action 20' suspended, next retry is
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd-?[0-9]+: action 'action 20' resumed
kernel: \[[0-9]+\.[0-9]+\] Peer .+ unexpectedly shrunk window .+ \(repaired\)
openmediavault-update-smart-drivedb: Updating smartmontools .+ drive database \.\.\.
cron-apt: The following packages were automatically installed and are no longer required:
cron-apt: Use 'apt-get autoremove' to remove them\.
openmediavault-webgui\[[[:digit:]]+\]: Authorized login from
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[.+\] kvm \[[0-9]+]: vcpu[0-9]+ unimplemented perfctr wrmsr:
Exception AttributeError: "'ZipArchive' object has no attribute '_zip'" in
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[0-9]+\]: Timed out waiting for reply from
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[0-9]+\]: Using NTP server
transmission-daemon\[[0-9]+\]: .+ which was just downloaded, failed its checksum test
systemd[\[0-9\]+]: Failed to reset devices.list on /system\.slice: Invalid argument
systemd[\[0-9\]+]: Failed to reset devices.list on /machine\.slice: Invalid argument
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd[0-9\-]+: action 'action [0-9]+' suspended, next retry is
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd[0-9\-]+: action 'action [0-9]+' resumed
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9\-]+\]: Connection closed by [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ port
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[0-9\-]+\]: .+\.timer: Adding .+ random time\.
^\w{3} [ :0-9]{11} [. [:alnum:]-]+ liblogging-stdlog:.+rsyslogd was HUPed$
^\w{3} [ :0-9]{11} [. [:alnum:]-]+ liblogging-stdlog:.+rsyslogd.+ exiting on signal.+$
^\w{3} [ :0-9]{11} [. [:alnum:]-]+ liblogging-stdlog:.+rsyslogd.+ start$
^\w{3} [ :0-9]{11} [. [:alnum:]-]+ liblogging-stdlog: warning.+action is deprecated, consider using the 'stop' statement instead.+$
^\w{3} [ :0-9]{11} [. [:alnum:]-]+ sh\[[0-9]+\]: GUI:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted (gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?: (RSA|ECDSA|ED25519) (SHA256:)?[/+:[:alnum:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: disconnect from
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ monit\[[0-9]+\]: .+ cpu user usage.+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ monit\[[0-9]+\]: .+ loadavg.+ matches resource limit.+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ monit\[[0-9]+\]: .+ loadavg.+ check succeeded.+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: Stopping ftp server: proftpd.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: Starting ftp server: proftpd.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_[[:alnum:]]+\(su:session\): Cannot create session: Already running in a session$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupsrv: Login successful for admin from .+ via web interface
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupsrv: Client authentication failure for .+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Creating shadowcopy of "root" failed.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Token id for user.+not found$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Token id for group.+not found$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Error getting file type of.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Error getting extended attribute.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: ERROR: Error stating file .+ to get file tokens. Errno: 13$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ urbackupclientbackend\[[0-9]+\]: No LSB modules are available\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from .+ disconnected by user$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnected from .+ port .+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/pipe\[[0-9]+\]: .+ delivered via omvnotificationfilter service.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: Watching system buttons on /dev/input/event.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Configuration file .+ is marked executable\. Please remove executable permission bits\. Proceeding anyway\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]:.+source3/nmbd/nmbd_namequery\.c:.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]:.+query_name_response: Multiple \([0-9]+\) responses received for a query on subnet.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]:.+This response was from.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ansible-setup: Invoked with.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ansible-apt: Invoked with.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ansible-apt: \[WARNING\] Could not find aptitude\. Using apt-get instead\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: Creating SSL connection to host
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: SSL connection using.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: Sent mail for.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[0-9\.]+\] \[UFW BLOCK\].+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [a-f0-9]+\[[0-9]+\]: t=.+ lvl=info msg=".+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Invalid user .+ from .+ port [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from .+ port [0-9]+.+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from .+ port [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Unable to negotiate with .+ port [0-9]+: no matching cipher found. Their offer: .+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Unable to negotiate with .+ port [0-9]+: no matching key exchange method found. Their offer: .+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Bad protocol version identification .+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Connection reset by .+$

8
old/roles/common/templates/ntp.conf.j2 Normal file
View File

@@ -0,0 +1,8 @@
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
restrict source notrap nomodify noquery
server {{ntpserver}}

8
old/roles/common/templates/passwd.client.j2 Normal file
View File

@@ -0,0 +1,8 @@
# password file used when the local exim is authenticating to a remote
# host as a client.
#
# see exim4_passwd_client(5) for more documentation
#
# Example:
### target.mail.server.example:login:password
*:{{smtp_auth_user}}:{{smtp_auth_pass}}

31
old/roles/common/templates/update-exim4.conf.conf.j2 Normal file
View File

@@ -0,0 +1,31 @@
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='satellite'
dc_other_hostnames='{{ansible_host}}'
dc_local_interfaces='127.0.0.1 ; ::1'
dc_readhost='{{ansible_host}}'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='{{smtp_hostname}}::{{smtp_port}}'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

10
old/roles/docker/handlers/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: restart docker
service:
name: docker
state: restarted
- name: restart rsyslog
service:
name: rsyslog
state: restarted

27
old/roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Ensure group "docker" exists
group:
name: docker
state: present
- name: Ensure default user belongs also to docker group
user:
name: "{{default_username}}"
groups: docker
append: yes
- name: Add rsyslog custom rules for Docker
copy:
src: templates/docker.conf
dest: /etc/rsyslog.d/docker.conf
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Add logrotate custom rules for Docker logs
copy:
src: templates/logrotate_docker
dest: /etc/logrotate.d/docker
owner: root
group: root
mode: u=rw,g=r,o=r

2
old/roles/docker/templates/docker.conf Normal file
View File

@@ -0,0 +1,2 @@
if $syslogtag contains 'docker/' then /var/log/docker.log
& ~

12
old/roles/docker/templates/logrotate_docker Normal file
View File

@@ -0,0 +1,12 @@
/var/log/docker.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}

17
old/roles/networking/tasks/main.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Configure /etc/network/interfaces
template:
src: "{{interfaces_template}}"
dest: /etc/network/interfaces
register: _configure_interfaces
- block:
- name: Reboot for networking changes
shell: "sleep 5 && shutdown -r now 'Networking changes found, rebooting'"
async: 1
poll: 0
- name: Wait for server to come back online
wait_for_connection:
delay: 15
when: _configure_interfaces is changed

9
old/roles/networking/templates/interfaces-dhcp-server.j2 Normal file
View File

@@ -0,0 +1,9 @@
# The loopback network interface
auto lo
iface lo inet loopback
# eth0 network interface
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
dns-search server

12
old/roles/reboot/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Reboot machine to finalize setup
shell: "sleep 5 && reboot"
async: 1
poll: 0
- name: Wait for the reboot to complete
wait_for_connection:
connect_timeout: 20
sleep: 5
delay: 5
timeout: 300

5
old/roles/ssh/handlers/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: restart ssh
service:
name: ssh
state: restarted

34
old/roles/ssh/tasks/main.yml Normal file
View File

@@ -0,0 +1,34 @@
---
- name: Remove any PermitRootLogin instruction
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
state: absent
notify: restart ssh
- name: Disable SSH root login
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: "PermitRootLogin prohibit-password"
state: present
notify: restart ssh
- name: Disable password authentication
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication"
line: "PasswordAuthentication no"
state: present
notify: restart ssh
- name: Set SSH port
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^Port"
line: "Port {{sshd_port}}"
state: present
notify: restart ssh
- name: Test
lineinfile

4
old/roles/ufw/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: reload ufw
ufw:
state: reloaded

18
old/roles/ufw/tasks/main.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Apply custom connection ufw rules
ufw: rule="{{item.rule}}" port="{{item.port}}" src="{{item.src}}" proto="{{item.proto}}" direction="{{item.direction}}"
with_items: "{{ufw_rules}}"
#- name: Limit SSH connection rate
# ufw: rule=limit port=22 proto=tcp
- name: Deny all incoming connections
ufw: "direction=incoming policy=reject"
- name: Enable logging
ufw:
logging: on
- name: Enable firewall
ufw: state=enabled
notify: reload ufw

91
old/roles/user/tasks/main.yml Normal file
View File

@@ -0,0 +1,91 @@
---
- name: Update default user, belonging to sudo group
user:
name: "{{default_username}}"
password: "{{default_password | password_hash('sha512')}}"
groups: sudo
create_home: yes
shell: /bin/bash
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
update_password: always
state: present
- name: Ensure sudo group has sudo privileges without password
lineinfile:
dest: /etc/sudoers
state: present
regexp: "^%sudo"
line: "%sudo ALL=(ALL) NOPASSWD:ALL"
validate: "/usr/sbin/visudo -cf %s"
# copy local files to remote
- name: Install .forward file in users' folders
template:
src: dot.forward.j2
dest: "{{item}}/.forward"
owner: "{{default_username}}"
group: "{{default_username}}"
with_items:
- "/root"
- "/home/{{default_username}}"
- name: Clone dotfiles repository
become_user: "{{item.user}}"
git:
repo: "https://github.com/olivomarco/dotfiles.git"
version: master
dest: "{{item.path}}"
accept_hostkey: yes
clone: yes
update: yes
with_items:
- {user: "{{default_username}}", path: "/home/{{default_username}}/dotfiles"}
- {user: "root", path: "/root/dotfiles"}
# - name: Run dotfiles/setup/setup-user.sh for {{item.user}}
# become_user: "{{item.user}}"
# shell: "{{item.path}}/setup/setup-user.sh"
# with_items:
# - {user: "{{default_username}}", path: "/home/{{default_username}}/dotfiles"}
# - {user: "root", path: "/root/dotfiles"}
- name: Change owner of dotfiles in {{default_username}} folder
file:
path: "/home/{{default_username}}/dotfiles"
owner: "{{default_username}}"
group: "{{default_username}}"
recurse: yes
# other setup
- name: Assign public ssh key to a variable
shell: cat /home/{{default_username}}/{{public_key}}
register: ssh_public_key
- name: Add default username's public SSH key to its authorized_keys file
lineinfile:
dest: "/home/{{default_username}}/.ssh/authorized_keys"
line: "{{ssh_public_key.stdout}}"
state: present
create: yes
- name: Change root password
user:
name: root
password: "{{root_password | password_hash('sha512')}}"
update_password: always
- name: chsh to /usr/bin/zsh for default user and root
user:
name: "{{item}}"
shell: /usr/bin/zsh
with_items:
- "{{default_username}}"
- "root"
- debug:
msg: "user '{{default_username}}' generated password: {{default_password}}"
- debug:
msg: "user 'root' generated password: {{root_password}}"

1
old/roles/user/templates/dot.forward.j2 Normal file
View File

@@ -0,0 +1 @@
{{dot_forward_email}}