First import

Author: olivomarco

.gitattributes

@@ -0,0 +1,63 @@
+###############################################################################
+# Set default behavior to automatically normalize line endings.
+###############################################################################
+* text eol=lf
+
+###############################################################################
+# Set default behavior for command prompt diff.
+#
+# This is need for earlier builds of msysgit that does not have it on by
+# default for csharp files.
+# Note: This is only used by command line
+###############################################################################
+#*.cs     diff=csharp
+
+###############################################################################
+# Set the merge driver for project and solution files
+#
+# Merging from the command prompt will add diff markers to the files if there
+# are conflicts (Merging from VS is not affected by the settings below, in VS
+# the diff markers are never inserted). Diff markers may cause the following 
+# file extensions to fail to load in VS. An alternative would be to treat
+# these files as binary and thus will always conflict and require user
+# intervention with every merge. To do so, just uncomment the entries below
+###############################################################################
+#*.sln       merge=binary
+#*.csproj    merge=binary
+#*.vbproj    merge=binary
+#*.vcxproj   merge=binary
+#*.vcproj    merge=binary
+#*.dbproj    merge=binary
+#*.fsproj    merge=binary
+#*.lsproj    merge=binary
+#*.wixproj   merge=binary
+#*.modelproj merge=binary
+#*.sqlproj   merge=binary
+#*.wwaproj   merge=binary
+
+###############################################################################
+# behavior for image files
+#
+# image files are treated as binary by default.
+###############################################################################
+#*.jpg   binary
+#*.png   binary
+#*.gif   binary
+
+###############################################################################
+# diff behavior for common document formats
+# 
+# Convert binary document formats to text before diffing them. This feature
+# is only available from the command line. Turn it on by uncommenting the 
+# entries below.
+###############################################################################
+#*.doc   diff=astextplain
+#*.DOC   diff=astextplain
+#*.docx  diff=astextplain
+#*.DOCX  diff=astextplain
+#*.dot   diff=astextplain
+#*.DOT   diff=astextplain
+#*.pdf   diff=astextplain
+#*.PDF   diff=astextplain
+#*.rtf   diff=astextplain
+#*.RTF   diff=astextplain

.gitignore

@@ -0,0 +1,6 @@
+hosts
+fetch
+bootstrap.retry
+provision-*.retry
+vault*decrypted.yml
+venv

README.md

@@ -0,0 +1,33 @@
+# Perfect Linux machine setup with Ansible
+
+In 2020, having a Linux IaaS machine configured and setup should be easy and fast: after all, it's the basic task anybody has to do in order to start working on more-meaningful and productive activities.
+
+However, this is not always the case: you work in different environments (different cloud providers, on-premises environments, lab environments) where you have different base images and different tools, and creating the very same machine is still quite a daunting - or at least *time-consuming* - task.
+
+This project aims to solve that, by providing a **boilerplate yet complete** and **easy-to-use** and **easy-to-customize** way to spin up your own Linux machine.
+
+## Usage
+
+You will need [Ansible](https://ansible.com) on your workstation in order to run this project, and you will need to first install a base Linux image on your target system. The target system can be a Debian-based system or an Ubuntu-based system, since the [apt](https://it.wikipedia.org/wiki/Advanced_Packaging_Tool) package is used.
+
+You can start the fun with the [install.sh](/install.sh) script which takes in input the hostname to configure.
+
+In the output, you will receive the passwords for the default user and the `root` user.
+The script will add your local SSH keys as trusted keys for remote login, and will harden the Linux installation quite a bit.
+In the end, you will also have several utilities installed and a Docker daemon.
+
+The playbook also uses the [olivomarco/dotfiles](https://github.com/olivomarco/dotfiles) repo in order to setup a custom and productive shell for the users of the system.
+
+## Parameters
+
+Please note that some of the parameters provided by this template repo **MUST BE CHANGED** before running the script.
+
+Customization starts by modifying files in [this folder](/group_vars/). In particular, consider that:
+
+- in [all.yml](/group_vars/all.yml) you must modify the `default_username` variable
+- in [all.yml](/group_vars/all.yml) you must modify the `dot_forward_email` variable
+- the [vault.yml](/group_vars/vault.yml) is an [ansible-vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) encrypted file (default password: `secretpassword`) which you must customize with your SMTP parameters
+
+## Final notes
+
+You can, of course, customize everything and add your own tools and configurations: **if you think you have found something useful which can be beneficial to any user using this package, please open a feature request and I will gladly evaluate it**.

ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+inventory = hosts

group_vars/all.yml

@@ -0,0 +1,30 @@
+---
+# general settings
+default_username: debian
+dot_forward_email: <YOUR_EMAIL_GOES_HERE>
+private_key: .ssh/id_rsa
+public_key: .ssh/id_rsa.pub
+ntpserver: pool.ntp.org
+timezone: Europe/Rome
+
+# default sshd port
+sshd_port: 22
+
+# generate random passwords for default user and root user
+default_password: "{{lookup('password', '/dev/null length=15 chars=ascii_letters,digits,punctuation')}}"
+root_password: "{{lookup('password', '/dev/null length=15 chars=ascii_letters,digits,punctuation')}}"
+
+# unattended packages install configuration
+unattended_mail: "{{dot_forward_email}}"
+unattended_remove_unused_dependencies: true
+unattended_automatic_reboot_time: "03:00"
+unattended_update_days: "Sat"
+unattended_clean_interval: 7
+
+# fail2ban
+fail2ban_loglevel: INFO
+fail2ban_services:
+  - name: ssh
+    port: ssh
+    filter: sshd
+    logpath: /var/log/auth.log

group_vars/apt.yml

@@ -0,0 +1,48 @@
+---
+# packages to install
+packages_to_install:
+    - sudo
+    - python-apt
+    - git-core
+    - ufw
+    - dnsutils
+    - build-essential
+    - acl
+    - screen
+    - bash-completion
+    - ntp
+    - jq
+    - htop
+    - psmisc
+    - python-pip
+    - python3-pip
+    - vim
+    - netcat
+    - net-tools
+    - nmap
+    - lynx
+    - wget
+    - curl
+    - gzip
+    - rsync
+    - logrotate
+    # - logcheck
+    - rkhunter
+    - cryptsetup
+    - python-glade2
+    - dos2unix
+    - mlocate
+    - rclone
+    - bc
+    - zsh
+    - hddtemp
+    - lm-sensors
+    - qemu-guest-agent
+    - atop
+    - sshfs
+    - reptyr
+    - lvm2
+    - parted
+    - rename
+    - glances
+    - gnupg

group_vars/docker.yml

@@ -0,0 +1,20 @@
+---
+# docker
+docker__channel: ["stable"]
+docker__version: "19.03.5"
+docker__state: "present"
+docker__compose_version: "1.25.0"
+docker__users: ["{{default_username}}"]
+docker__daemon_flags:
+  - "-H unix://"
+  #- "-H unix:// --iptables=false"
+# "a" removes unused images (useful in production).
+# "f" forces it to happen without prompting you to agree.
+docker__cron_jobs_prune_flags: "af"
+docker__cron_jobs:
+  - name: "Docker disk clean up"
+    job: "docker system prune -{{docker__cron_jobs_prune_flags}} > /dev/null 2>&1"
+    schedule: ["0", "0", "*", "*", "0"]
+    cron_file: "docker-disk-clean-up"
+    user: "{{(docker__users | first) | d('root')}}"
+    state: "present"

group_vars/monit.yml

@@ -0,0 +1,30 @@
+---
+# monit
+config_monit: true
+monit_enable_email_notifications: false
+monit_email_to: "{{dot_forward_email}}"
+monit_enable_web_server: false
+monit_web_server_allow_list:
+  - localhost
+monit_web_server_local_only: true
+monit_monitor_services:
+  - name: "cron"
+    monitored: true
+    pidfile: "/var/run/crond.pid"
+    start_program: "/usr/sbin/service cron start"
+    stop_program: "/usr/sbin/service cron stop"
+  - name: "fail2ban"
+    monitored: true
+    pidfile: "/var/run/fail2ban/fail2ban.pid"
+    start_program: "/etc/init.d/fail2ban start"
+    stop_program: "/etc/init.d/fail2ban stop"
+  - name: "sshd"
+    monitored: true
+    pidfile: "/var/run/sshd.pid"
+    start_program: "/etc/init.d/ssh start"
+    stop_program: "/etc/init.d/ssh stop"
+  - name: "syslogd"
+    monitored: true
+    pidfile: "/var/run/rsyslogd.pid"
+    start_program: "/etc/init.d/rsyslog start"
+    stop_program: "/etc/init.d/rsyslog stop"

group_vars/networking.yml

@@ -0,0 +1,14 @@
+---
+# Local LAN IP-range addresses
+local_lan: "192.168.0.0/16"
+docker_overlay_ips: "172.0.0.0/8"
+
+# ufw rules
+ufw_rules:
+  - {rule: allow, port: 22, src: "{{local_lan}}", proto: tcp, direction: "in"}
+  - {rule: allow, port: 22, src: "{{docker_overlay_ips}}", proto: tcp, direction: "in"}
+  # - {rule: allow, port: 80, src: "0.0.0.0/0", proto: tcp, direction: "in"}
+  # - {rule: allow, port: 443, src: "0.0.0.0/0", proto: tcp, direction: "in"}
+
+# network configuration for our server
+interfaces_template: "interfaces-dhcp-server.j2"

group_vars/vault.yml

@@ -0,0 +1,15 @@
+$ANSIBLE_VAULT;1.1;AES256
+36663239336238393633346563366232393635633365343535663163336438613066633062626133
+3630376365643565653430363030616132383332306339370a393139616163366461376133373935
+35386535363862353237306264336230646334346162316666613238343863303336633533626538
+3364313966306362330a626634313961326664303761363635633039333138353331306132636261
+35623366333637353962383730613966336461623936376235313365303661663238316563613838
+33303032306137373863303564643236653530333366366136363837666661663864376139626634
+64613839333335663237333533633464393831663331356437376133396330396661366366373461
+33353462393063313731316364333034373066653563336533363032363038326331303433666634
+62376637343463386538333566303234313330663234313664616433653563353165386366653638
+65613736633135316463316537653638326233353134343537393239663537613734313762346434
+63393437356366613332623666383532363365303239666637666362626366623862666334303537
+35333663343137643737383533323134363937386239616136326534653261636361386463326236
+64306433666465343066333136346434656537626631656632393737626565396130373036333530
+3265646137373062393035636531376339623231366139373664

install.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+usage() {
+    echo "USAGE: ${0} [-h] [-D] -H hostname [-p password_file]"
+    echo ""
+    echo "Configures the given role for the given hostname."
+    echo ""
+    echo "Options:"
+    echo "  -h runs help (this screen)"
+    echo "  -D debug mode on (more verbose output)"
+    echo ""
+    echo "  -H the target hostname to configure"
+    echo "  -p password_file is an optional path to a password file for Ansible"
+    echo ""
+}
+
+# check invocation
+if (! getopts ":hDH:p:" opt); then
+  usage
+  exit $E_OPTERROR;
+fi
+
+debug_mode=0
+
+# parse arguments
+while getopts ":hDH:p:" opt; do
+  case $opt in
+    h)
+      usage
+      exit 1
+      ;;
+    D)
+      debug_mode=1
+      ;;
+  	H)
+      hostname=($OPTARG)
+	  ;;
+    p)
+      password_file=($OPTARG)
+      ;;
+    \?)
+      echo "Invalid option: -${OPTARG}" >&2
+      usage
+      exit 1
+      ;;
+  esac
+done
+shift $((OPTIND -1))
+
+virtualenv -q -p $(which python3) venv
+source venv/bin/activate
+
+# install local requirements for ansible
+ansible-galaxy install -r requirements.yml
+# install additional pre-requirements
+pip install jmespath dnspython
+
+# export ansible variables
+export ANSIBLE_LOAD_CALLBACK_PLUGINS=1
+if [ $debug_mode -eq 0 ] ; then
+  export ANSIBLE_STDOUT_CALLBACK="unixy"
+else
+  export ANSIBLE_STDOUT_CALLBACK="skippy"
+fi
+
+# create hosts file
+echo "[prod]" > hosts
+echo "${hostname}" >> hosts
+
+# run ansible
+if [ -z $password_file ] ; then
+    ansible-playbook -i hosts provision.yml --vault-id @prompt
+else
+    ansible-playbook -i hosts provision.yml --vault-password-file $password_file
+fi
+
+deactivate

provision.yml

@@ -0,0 +1,36 @@
+---
+- hosts: prod
+  vars_files:
+    - group_vars/all.yml
+    - group_vars/apt.yml
+    - group_vars/docker.yml
+    - group_vars/monit.yml
+    - group_vars/networking.yml
+    - group_vars/vault.yml
+  user: "{{default_username}}"  # run whole script with default user
+  become: yes
+  roles:  # order is not random!
+    - role: nickjj.fail2ban
+      tags: fail2ban
+    - role: common
+      tags: common
+    - role: ufw
+      tags: ufw
+    - role: user
+      tags: user
+    - role: ssh
+      tags: ssh
+    - role: nickjj.docker
+      tags: docker
+    - role: docker
+      tags: docker
+    - role: jnv.debian-backports
+      tags: common
+    - role: ansible-monit
+      tags: common
+    - role: jnv.unattended-upgrades
+      tags: common
+    - role: networking
+      tags: networking
+    - role: reboot
+      tags: reboot

requirements.yml

@@ -0,0 +1,6 @@
+---
+- src: nickjj.fail2ban
+- src: nickjj.docker
+- src: https://github.com/mrlesmithjr/ansible-monit
+- src: jnv.debian-backports
+- src: jnv.unattended-upgrades