Add all files needed to bring up VM and run agaric.com locally

box/provisioning/roles/geerlingguy.security/tasks/autoupdate-Debian.yml

@@ -0,0 +1,14 @@
+---
+- name: Install unattended upgrades package.
+  apt: name=unattended-upgrades state=present
+
+- name: Copy unattended-upgrades configuration files in place.
+  template:
+    src: "../templates/{{ item }}.j2"
+    dest: "/etc/apt/apt.conf.d/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - 10periodic
+    - 50unattended-upgrades

box/provisioning/roles/geerlingguy.security/tasks/autoupdate-RedHat.yml

@@ -0,0 +1,13 @@
+---
+- name: Install yum-cron.
+  yum: name=yum-cron state=present
+
+- name: Ensure yum-cron is running and enabled on boot.
+  service: name=yum-cron state=started enabled=yes
+
+- name: Configure autoupdates (RHEL 7).
+  lineinfile:
+    dest: "/etc/yum/yum-cron.conf"
+    regexp: '^apply_updates = .+'
+    line: 'apply_updates = yes'
+  when: security_autoupdate_enabled and ansible_distribution_major_version | int == 7

box/provisioning/roles/geerlingguy.security/tasks/fail2ban-Debian.yml

@@ -0,0 +1,3 @@
+---
+- name: Install fail2ban.
+  apt: name=fail2ban state=present

box/provisioning/roles/geerlingguy.security/tasks/fail2ban-RedHat.yml

@@ -0,0 +1,3 @@
+---
+- name: Install fail2ban.
+  yum: name=fail2ban state=present enablerepo=epel

box/provisioning/roles/geerlingguy.security/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Include OS-specific variables.
+  include_vars: "{{ ansible_os_family }}.yml"
+
+# Fail2Ban
+- include: fail2ban-RedHat.yml
+  when: ansible_os_family == 'RedHat' and security_fail2ban_enabled
+
+- include: fail2ban-Debian.yml
+  when: ansible_os_family == 'Debian' and security_fail2ban_enabled
+
+- name: Ensure fail2ban is running and enabled on boot.
+  service: name=fail2ban state=started enabled=yes
+  when: security_fail2ban_enabled
+
+# SSH
+- include: ssh.yml
+
+# Autoupdate
+- include: autoupdate-RedHat.yml
+  when: ansible_os_family == 'RedHat' and security_autoupdate_enabled
+
+- include: autoupdate-Debian.yml
+  when: ansible_os_family == 'Debian' and security_autoupdate_enabled

box/provisioning/roles/geerlingguy.security/tasks/ssh.yml

@@ -0,0 +1,45 @@
+---
+- name: Update SSH configuration to be more secure.
+  lineinfile:
+    dest: "{{ security_ssh_config_path }}"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  with_items:
+    - regexp: "^PasswordAuthentication"
+      line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
+    - regexp: "^PermitRootLogin"
+      line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
+    - regexp: "^Port"
+      line: "Port {{ security_ssh_port }}"
+    - regexp: "^UseDNS"
+      line: "UseDNS {{ security_ssh_usedns }}"
+    - regexp: "^PermitEmptyPasswords"
+      line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
+    - regexp: "^ChallengeResponseAuthentication"
+      line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
+    - regexp: "^GSSAPIAuthentication"
+      line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
+    - regexp: "^X11Forwarding"
+      line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
+  notify: restart ssh
+
+- name: Add configured user accounts to passwordless sudoers.
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: '^{{ item }}'
+    line: '{{ item }} ALL=(ALL) NOPASSWD: ALL'
+    state: present
+    validate: 'visudo -cf %s'
+  with_items: "{{ security_sudoers_passwordless }}"
+  when: security_sudoers_passwordless | length > 0
+
+- name: Add configured user accounts to passworded sudoers.
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: '^{{ item }}'
+    line: '{{ item }} ALL=(ALL) ALL'
+    state: present
+    validate: 'visudo -cf %s'
+  with_items: "{{ security_sudoers_passworded }}"
+  when: security_sudoers_passworded | length > 0