Add all files needed to bring up VM and run agaric.com locally

box/provisioning/roles/geerlingguy.security/.travis.yml

@@ -0,0 +1,52 @@
+---
+services: docker
+
+env:
+  - distro: centos7
+    init: /usr/lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+  - distro: centos6
+    init: /sbin/init
+    run_opts: ""
+  - distro: ubuntu1604
+    init: /lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+  - distro: ubuntu1404
+    init: /sbin/init
+    run_opts: ""
+  - distro: debian8
+    init: /lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+
+before_install:
+  # Pull container.
+  - 'docker pull geerlingguy/docker-${distro}-ansible:latest'
+
+script:
+  - container_id=$(mktemp)
+  # Run container in detached state.
+  - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/role_under_test:ro ${run_opts} geerlingguy/docker-${distro}-ansible:latest "${init}" > "${container_id}"'
+
+  # Ansible syntax check.
+  - 'docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/role_under_test/tests/test.yml --syntax-check'
+
+  # Test role.
+  - 'docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/role_under_test/tests/test.yml'
+
+  # Test role idempotence.
+  - idempotence=$(mktemp)
+  - docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/role_under_test/tests/test.yml | tee -a ${idempotence}
+  - >
+    tail ${idempotence}
+    | grep -q 'changed=0.*failed=0'
+    && (echo 'Idempotence test: pass' && exit 0)
+    || (echo 'Idempotence test: fail' && exit 1)
+
+  # Make sure fail2ban process is running.
+  - >
+    sudo docker exec "$(cat ${container_id})" ps -ax | grep -q 'fail2ban'
+    && (echo 'fail2ban is on: pass' && exit 0)
+    || (echo 'fail2ban is on: fail' && exit 1)
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

box/provisioning/roles/geerlingguy.security/README.md

@@ -0,0 +1,89 @@
+# Ansible Role: Security (Basics)
+
+[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-security.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-security)
+
+**First, a major, MAJOR caveat**: the security of your servers is YOUR responsibility. If you think simply including this role and adding a firewall makes a server secure, then you're mistaken. Read up on Linux, network, and application security, and know that no matter how much you know, you can always make every part of your stack more secure.
+
+That being said, this role performs some basic security configuration on RedHat and Debian-based linux systems. It attempts to:
+
+  - Install software to monitor bad SSH access (fail2ban)
+  - Configure SSH to be more secure (disabling root login, requiring key-based authentication, and allowing a custom SSH port to be set)
+  - Set up automatic updates (if configured to do so)
+
+There are a few other things you may or may not want to do (which are not included in this role) to make sure your servers are more secure, like:
+
+  - Use logwatch or a centralized logging server to analyze and monitor log files
+  - Securely configure user accounts and SSH keys (this role assumes you're not using password authentication or logging in as root)
+  - Have a well-configured firewall (check out the `geerlingguy.firewall` role on Ansible Galaxy for a flexible example)
+
+Again: Your servers' security is *your* responsibility.
+
+## Requirements
+
+For obvious reasons, `sudo` must be installed if you want to manage the sudoers file with this role.
+
+On RedHat/CentOS systems, make sure you have the EPEL repository installed (you can include the `geerlingguy.repo-epel` role to get it installed).
+
+No special requirements for Debian/Ubuntu systems.
+
+## Role Variables
+
+Available variables are listed below, along with default values (see `defaults/main.yml`):
+
+    security_ssh_port: 22
+
+The port through which you'd like SSH to be accessible. The default is port 22, but if you're operating a server on the open internet, and have no firewall blocking access to port 22, you'll quickly find that thousands of login attempts per day are not uncommon. You can change the port to a nonstandard port (e.g. 2849) if you want to avoid these thousands of automated penetration attempts.
+
+    security_ssh_password_authentication: "no"
+    security_ssh_permit_root_login: "no"
+    security_ssh_usedns: "no"
+
+Security settings for SSH authentication. It's best to leave these set to `"no"`, but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or all may be safely set to `'yes'`.
+
+    security_sudoers_passwordless: []
+    security_sudoers_passworded: []
+
+A list of users who should be added to the sudoers file so they can run any command as root (via `sudo`) either without a password or requiring a password for each command, respectively.
+
+    security_autoupdate_enabled: true
+
+Whether to install/enable `yum-cron` (RedHat-based systems) or `unattended-upgrades` (Debian-based systems). System restarts will not happen automatically in any case, and automatic upgrades are no excuse for sloppy patch and package management, but automatic updates can be helpful as yet another security measure.
+
+    security_autoupdate_blacklist: []
+
+(Debian/Ubuntu only) A listing of packages that should not be automatically updated.
+
+    security_autoupdate_mail_to: ""
+    security_autoupdate_mail_on_error: true
+
+(Debian/Ubuntu only) If `security_autoupdate_mail_to` is set to an non empty value, unattended upgrades will send an e-mail to that address when some error occurs. You may either set this to a full email: `ops@example.com` or to something like `root`, which will use `/etc/aliases` to route the message. If you set `security_autoupdate_mail_on_error` to `false` you'll get an email after every package install.
+
+    security_fail2ban_enabled: true
+
+Wether to install/enable `fail2ban`. You might not want to use fail2ban if you're already using some other service for login and intrusion detection (e.g. [ConfigServer](http://configserver.com/cp/csf.html)).
+
+## Dependencies
+
+None.
+
+## Example Playbook
+
+    - hosts: servers
+      vars_files:
+        - vars/main.yml
+      roles:
+        - geerlingguy.security
+
+*Inside `vars/main.yml`*:
+
+    security_sudoers_passworded:
+      - johndoe
+      - deployacct
+
+## License
+
+MIT (Expat) / BSD
+
+## Author Information
+
+This role was created in 2014 by [Jeff Geerling](http://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

box/provisioning/roles/geerlingguy.security/defaults/main.yml

@@ -0,0 +1,21 @@
+---
+security_ssh_port: 22
+security_ssh_password_authentication: "no"
+security_ssh_permit_root_login: "no"
+security_ssh_usedns: "no"
+security_ssh_permit_empty_password: "no"
+security_ssh_challenge_response_auth: "no"
+security_ssh_gss_api_authentication: "no"
+security_ssh_x11_forwarding: "no"
+
+security_sudoers_passwordless: []
+security_sudoers_passworded: []
+
+security_autoupdate_enabled: true
+security_autoupdate_blacklist: []
+
+# Autoupdate mail settings used on Debian/Ubuntu only.
+security_autoupdate_mail_to: ""
+security_autoupdate_mail_on_error: true
+
+security_fail2ban_enabled: true

box/provisioning/roles/geerlingguy.security/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart ssh
+  service: "name={{ security_sshd_name }} state=restarted"

box/provisioning/roles/geerlingguy.security/meta/main.yml

@@ -0,0 +1,22 @@
+---
+dependencies: []
+
+galaxy_info:
+  author: geerlingguy
+  description: Security software installation and configuration.
+  company: "Midwestern Mac, LLC"
+  license: "license (BSD, MIT)"
+  min_ansible_version: 1.9
+  platforms:
+    - name: EL
+      versions:
+      - all
+    - name: Debian
+      versions:
+      - all
+    - name: Ubuntu
+      versions:
+      - all
+  galaxy_tags:
+    - system
+    - security

box/provisioning/roles/geerlingguy.security/tasks/autoupdate-Debian.yml

@@ -0,0 +1,14 @@
+---
+- name: Install unattended upgrades package.
+  apt: name=unattended-upgrades state=present
+
+- name: Copy unattended-upgrades configuration files in place.
+  template:
+    src: "../templates/{{ item }}.j2"
+    dest: "/etc/apt/apt.conf.d/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - 10periodic
+    - 50unattended-upgrades

box/provisioning/roles/geerlingguy.security/tasks/autoupdate-RedHat.yml

@@ -0,0 +1,13 @@
+---
+- name: Install yum-cron.
+  yum: name=yum-cron state=present
+
+- name: Ensure yum-cron is running and enabled on boot.
+  service: name=yum-cron state=started enabled=yes
+
+- name: Configure autoupdates (RHEL 7).
+  lineinfile:
+    dest: "/etc/yum/yum-cron.conf"
+    regexp: '^apply_updates = .+'
+    line: 'apply_updates = yes'
+  when: security_autoupdate_enabled and ansible_distribution_major_version | int == 7

box/provisioning/roles/geerlingguy.security/tasks/fail2ban-Debian.yml

@@ -0,0 +1,3 @@
+---
+- name: Install fail2ban.
+  apt: name=fail2ban state=present

box/provisioning/roles/geerlingguy.security/tasks/fail2ban-RedHat.yml

@@ -0,0 +1,3 @@
+---
+- name: Install fail2ban.
+  yum: name=fail2ban state=present enablerepo=epel

box/provisioning/roles/geerlingguy.security/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Include OS-specific variables.
+  include_vars: "{{ ansible_os_family }}.yml"
+
+# Fail2Ban
+- include: fail2ban-RedHat.yml
+  when: ansible_os_family == 'RedHat' and security_fail2ban_enabled
+
+- include: fail2ban-Debian.yml
+  when: ansible_os_family == 'Debian' and security_fail2ban_enabled
+
+- name: Ensure fail2ban is running and enabled on boot.
+  service: name=fail2ban state=started enabled=yes
+  when: security_fail2ban_enabled
+
+# SSH
+- include: ssh.yml
+
+# Autoupdate
+- include: autoupdate-RedHat.yml
+  when: ansible_os_family == 'RedHat' and security_autoupdate_enabled
+
+- include: autoupdate-Debian.yml
+  when: ansible_os_family == 'Debian' and security_autoupdate_enabled

box/provisioning/roles/geerlingguy.security/tasks/ssh.yml

@@ -0,0 +1,45 @@
+---
+- name: Update SSH configuration to be more secure.
+  lineinfile:
+    dest: "{{ security_ssh_config_path }}"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  with_items:
+    - regexp: "^PasswordAuthentication"
+      line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
+    - regexp: "^PermitRootLogin"
+      line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
+    - regexp: "^Port"
+      line: "Port {{ security_ssh_port }}"
+    - regexp: "^UseDNS"
+      line: "UseDNS {{ security_ssh_usedns }}"
+    - regexp: "^PermitEmptyPasswords"
+      line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
+    - regexp: "^ChallengeResponseAuthentication"
+      line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
+    - regexp: "^GSSAPIAuthentication"
+      line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
+    - regexp: "^X11Forwarding"
+      line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
+  notify: restart ssh
+
+- name: Add configured user accounts to passwordless sudoers.
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: '^{{ item }}'
+    line: '{{ item }} ALL=(ALL) NOPASSWD: ALL'
+    state: present
+    validate: 'visudo -cf %s'
+  with_items: "{{ security_sudoers_passwordless }}"
+  when: security_sudoers_passwordless | length > 0
+
+- name: Add configured user accounts to passworded sudoers.
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: '^{{ item }}'
+    line: '{{ item }} ALL=(ALL) ALL'
+    state: present
+    validate: 'visudo -cf %s'
+  with_items: "{{ security_sudoers_passworded }}"
+  when: security_sudoers_passworded | length > 0

box/provisioning/roles/geerlingguy.security/templates/10periodic.j2

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";

box/provisioning/roles/geerlingguy.security/templates/50unattended-upgrades.j2

@@ -0,0 +1,19 @@
+Unattended-Upgrade::Automatic-Reboot "false";
+
+{% if security_autoupdate_mail_to %}
+Unattended-Upgrade::Mail "{{ security_autoupdate_mail_to }}";
+{% if security_autoupdate_mail_on_error %}
+Unattended-Upgrade::MailOnlyOnError "true";
+{% endif %}
+{% endif %}
+
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id} ${distro_codename}-security";
+//      "${distro_id} ${distro_codename}-updates";
+};
+
+Unattended-Upgrade::Package-Blacklist{
+{% for package in security_autoupdate_blacklist %}
+      "{{package}}";
+{% endfor %}
+}

box/provisioning/roles/geerlingguy.security/tests/test.yml

@@ -0,0 +1,32 @@
+- hosts: all
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt: update_cache=yes cache_valid_time=600
+      when: ansible_os_family == 'Debian'
+
+    - name: Ensure build dependencies are installed (RedHat).
+      yum: 'name="{{ item }}" state=present'
+      with_items:
+        - openssh-server
+        - openssh-clients
+      when: ansible_os_family == 'RedHat'
+
+    - name: Ensure build dependencies are installed (Debian).
+      apt: 'name="{{ item }}" state=present'
+      with_items:
+        - openssh-server
+        - openssh-client
+      when: ansible_os_family == 'Debian'
+
+    - name: Ensure auth.log file is present.
+      copy:
+        dest: /var/log/auth.log
+        content: ""
+        force: no
+      when: >
+        (ansible_distribution == 'Ubuntu' and ansible_distribution_version == '14.04') or
+        (ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie')
+
+  roles:
+    - role_under_test

box/provisioning/roles/geerlingguy.security/vars/Debian.yml

@@ -0,0 +1,3 @@
+---
+security_ssh_config_path: /etc/ssh/sshd_config
+security_sshd_name: ssh

box/provisioning/roles/geerlingguy.security/vars/RedHat.yml

@@ -0,0 +1,3 @@
+---
+security_ssh_config_path: /etc/ssh/sshd_config
+security_sshd_name: sshd