update ansible roles

ansible/redbrick-ansible.yml

@@ -5,19 +5,35 @@
 # before running the playbook, ignores uncommitted changes
 - name: Check local repository is up to date
   hosts: localhost
-  roles: 
-    - { role: git-compare-head } # Prevent execution on out-of-date or divergent branches
-
-- name: Redbrick general management
-  hosts: all
   roles:
-    #- { role: apt } # update all packages, equivalent to `apt update && apt upgrade`
+      - { role: git-compare-head } # Prevent execution on out-of-date or divergent branches
-    #- { role: ssh } # add users defined in roles/defaults/main.yml
-    #- { role: fail2ban } # add and configure fail2ban with jail file located in `templates/fail2ban.jail`
 
-- name: Configure Nomad & Consul
+# - name: Redbrick general management
-  hosts: nomad
+#   hosts: all
-  roles:
+#   roles:
-    #- { role: hashicorp-apt } # add hashicorp apt repo to apt sources
+#- { role: apt } # update all packages, equivalent to `apt update && apt upgrade`
-    #- { role: configure-nomad } # install nomad, configure and start the client & server based on `templates/` on nomad group
+#- { role: ssh } # add users defined in roles/defaults/main.yml
-    #- { role: configure-consul } # install consul, configure and start the client & server based on `templates/` on nomad group
+#- { role: fail2ban } # add and configure fail2ban with jail file located in `templates/fail2ban.jail`
+
+# - name: Configure Nomad & Consul
+#   hosts: nomad
+#   roles:
+#- { role: hashicorp-apt } # add hashicorp apt repo to apt sources
+#- { role: configure-nomad } # install nomad, configure and start the client & server based on `templates/` on nomad group
+#- { role: configure-consul } # install consul, configure and start the client & server based on `templates/` on nomad group
+
+# - name: Configure NFS server
+#   hosts: nfs_servers
+#   roles:
+#       - { role: configure-nfs-server } # install nfs server and configure based on `templates/` on nfs group
+
+# - name: Configure NFS client
+#   hosts: nfs_clients
+#   roles:
+#       - { role: configure-nfs-client } # install nfs client and configure based on `templates/` on nfs_clients group
+
+# - name: Configure logging stack
+#   hosts: all
+#   roles:
+# - { role: elastic-apt } # add elastic apt repo to apt sources
+# - { role: logging } # install and configure logging stack based on `templates/` on all hosts

ansible/roles/apt/defaults/main.yml

@@ -1,4 +1,3 @@
----
 apt_packages:
   - cron
   - curl
@@ -13,6 +12,7 @@ apt_packages:
   - psmisc
   - sudo
   - mosh
+  - logstash
 
-apt_install_packages: false
+apt_install_packages: true
 apt_update_packages: true

ansible/roles/apt/tasks/main.yml

@@ -5,13 +5,13 @@
     upgrade: yes
     autoclean: yes
     autoremove: yes
-    update_cache: yes  
+    update_cache: yes
   when: ansible_os_family == "Debian" and apt_update_packages
   register: result
 
 - name: List installed and updated packages
   become: true
-  shell: 
+  shell:
     cmd: 'grep -E "^$(date +%Y-%m-%d).+ (install|upgrade) " /var/log/dpkg.log | cut -d " " -f 3-5'
   register: result
 
@@ -22,6 +22,14 @@
 - name: install common tools
   become: true
   ansible.builtin.apt:
-    name: "{{ item }}"
+    name:
-  with_items: "{{ apt_packages }}"
+      - cron
+      - curl
+      - git
+      - htop
+      - net-tools
+      - nmap
+      - sysstat
+      - vim
+      - webhook
   when: ansible_os_family == "Debian" and apt_install_packages

ansible/roles/configure-consul/tasks/main.yml

@@ -45,4 +45,4 @@
   debug:
     msg: "{{ consul_members.stdout_lines }}"
   when: ansible_check_mode == false
-  
+# TODO: CONFIGURE CONSUL DNS

ansible/roles/hashicorp-apt/tasks/main.yml

@@ -1,5 +1,12 @@
 ---
 
+- name: Ensure required packages are installed
+  become: true
+  apt:
+    name: "{{ item }}"
+  with_items: ["software-properties-common", "gnupg"]
+  when: ansible_os_family == "Debian"
+
 - name: Add Hashicorp apt key
   become: true
   shell:

ansible/roles/ssh/defaults/main.yml

@@ -1,14 +1,16 @@
 ---
-
 # a current listing of all admins who have ssh access to Redbrick.
 
 github_users:
   - user: mojito
     # omitting account variable won't add any github keys to the user.
-    account: DistroByte 
+    account: DistroByte
     groups: [sudo]
-  - user: slatt
+  - user: poitin
-    account: cawnj
+    account: leath-dub
+    groups: [sudo]
+  - user: jameson
+    account: wizzdom
     groups: [sudo]
 
 github_url: https://github.com

ansible/roles/ssh/tasks/main.yml

@@ -49,7 +49,6 @@
 - name: Inform user to add password for account
   debug:
     msg: "Please add a password for the following accounts: {{ github_users | map(attribute='user') | list | join(', ') }}. See https://docs.redbrick.dcu.ie/aperture/ssh/ for more information."
-
 # - name: Remove user account
 #   debug:
-#     msg: 'ansible -i hosts all -m user -a "name={{ user }} state=absent remove=true" --become"'
+#     msg: 'ansible -i hosts all -m user -a "name={{ user }} state=absent remove=true" --become"'

ansible/templates/sshd_config.j2

@@ -1,15 +1,13 @@
 Include /etc/ssh/sshd_config.d/*.conf
 
 ChallengeResponseAuthentication no
-
 UsePAM no
-
 X11Forwarding yes
 PrintMotd no
 AcceptEnv LANG LC_*
-Subsystem       sftp    /usr/lib/openssh/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server
-Port 22
+Port 80
-
+GatewayPorts yes
 PermitRootLogin no
 PubkeyAuthentication yes
 AuthorizedKeysFile %h/.ssh/authorized_keys
@@ -18,5 +16,6 @@ PermitEmptyPasswords no
 GSSAPIAuthentication no
 AuthenticationMethods publickey,password
 
+# Disable 2fa while on VPN
 Match address 10.10.0.0/24,10.8.0.0/24,10.230.0.0/16,136.206.15.0/24,136.206.16.0/24
   AuthenticationMethods publickey password