secure_ubuntu_server.yml

---
# Ansible script to secure an Ubuntu server. Based on script by Ryan Eschinger.
- hosts: all

  vars:
    UBUNTU_COMMON_ROOT_PASSWORD: 'xxxxx'
    UBUNTU_COMMON_DEPLOY_PASSWORD: 'xxxxx'
    UBUNTU_COMMON_LOGWATCH_EMAIL: user@example.com
    ubuntu_common_deploy_user_name: deploy
    ubuntu_common_deploy_public_keys:
      - ~/.ssh/id_rsa.pub

    ubuntu_common_required_packages:
      - ufw
      - fail2ban
      - unattended-upgrades
      - logwatch

    ubuntu_common_optional_packages:
      - mosh
      - vim

    ubuntu_common_ssh_port: 22
    ubuntu_common_mosh_from_port: 60000
    ubuntu_common_mosh_to_port: 60010

  tasks:
    - name: Change root password
      user: name=root password="{{ UBUNTU_COMMON_ROOT_PASSWORD }}"

    - name: Add deploy user
      user: name={{ ubuntu_common_deploy_user_name }} password="{{ UBUNTU_COMMON_DEPLOY_PASSWORD }}" shell=/bin/bash

    - name: Add authorized keys for deploy user
      authorized_key: user={{ ubuntu_common_deploy_user_name }} key="{{ lookup('file', item) }}"
      with_items: ubuntu_common_deploy_public_keys

    - name: Add deploy user to sudoers
      lineinfile: dest=/etc/sudoers
                  regexp="{{ ubuntu_common_deploy_user_name }} ALL"
                  line="{{ ubuntu_common_deploy_user_name }} ALL=(ALL) ALL"
                  state=present

    - name: Update APT package cache
      apt: update_cache=yes cache_valid_time=3600

    - name: Upgrade APT to the latest packages
      apt: upgrade=safe

    - name: Install required packages
      apt: state=installed pkg={{ item }}
      with_items: ubuntu_common_required_packages

    - name: Install optional packages
      apt: state=installed pkg={{ item }}
      with_items: ubuntu_common_optional_packages

    - name: Adjust APT update intervals
      copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic

    - name: Setup ufw
      ufw: state=enabled policy=deny

    - name: Allow ssh traffic
      ufw: rule=allow port={{ ubuntu_common_ssh_port }} proto=tcp

    - name: Allow mosh traffic
      ufw: rule=allow proto=udp port={{ ubuntu_common_mosh_from_port }}:{{ ubuntu_common_mosh_to_port }}
      when: "'mosh' in ubuntu_common_optional_packages"

    - name: Set up Postfix to relay mail
      debconf: name=postfix
               question='{{ item.question }}'
               value='{{ item.value }}'
               vtype='{{ item.vtype }}'
      with_items:
        - { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' }
        - { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }

    - name: Email log summary daily
      lineinfile: dest=/etc/cron.daily/00logwatch
                  regexp="^/usr/sbin/logwatch"
                  line="/usr/sbin/logwatch --output mail --mailto {{ UBUNTU_COMMON_LOGWATCH_EMAIL }} --detail high"
                  state=present create=yes

    - name: Change ssh port
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^Port\s"
                  line="Port {{ ubuntu_common_ssh_port }}"
                  state=present
      notify: Restart ssh

    - name: Disallow password authentication
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^PasswordAuthentication"
                  line="PasswordAuthentication no"
                  state=present
      notify: Restart ssh

    - name: Disallow root SSH access
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^PermitRootLogin"
                  line="PermitRootLogin no"
                  state=present
      notify: Restart ssh

  handlers:
    - name: Restart ssh
      service: name=ssh state=restarted