init

ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory      = ./inventory.yaml
+#ask_vault_pass = True

host_vars/node01.yaml

@@ -0,0 +1,3 @@
+wg_ip: 10.23.23.11
+wg_private_key: "sBrZZx++c+DtIaJuLuRDB/bLkBY437b5J98/E/60yVk="
+wg_public_key: "RKebfofXjg07c3I2TFpKXtwxysEYCSfRjZqAMv7QiDg="

host_vars/node02.yaml

@@ -0,0 +1,3 @@
+wg_ip: 10.23.23.12
+wg_private_key: "MFkdgRe8Vkonzs9snOOk8HWpA1EPpE/HKf3Z7TUJyUE="
+wg_public_key: "6XnA2lYli12XTEIJuN0jHZ65n51FGvbEkUJWEZiR0m0="

host_vars/node03.yaml

@@ -0,0 +1,3 @@
+wg_ip: 10.23.23.13
+wg_private_key: "MFkdgRe8Vkonzs9snOOk8HWpA1EPpE/HKf3Z7TUJyUE="
+wg_public_key: "M2ohfUS2iHIoo0tXtqhQt8uJ/CdjVUZg9NiGx1SEfA0="

inventory.yaml

@@ -0,0 +1,3 @@
+node01 ansible_ssh_user=root ansible_ssh_host=78.47.49.236
+node02 ansible_ssh_user=root ansible_ssh_host=78.46.186.206
+node03 ansible_ssh_user=root ansible_ssh_host=78.47.122.172

roles/base/files/root.profile

@@ -0,0 +1,16 @@
+# ~/.profile: executed by Bourne-compatible login shells.
+
+if [ "$BASH" ]; then
+  if [ -f ~/.bashrc ]; then
+    . ~/.bashrc
+  fi
+fi
+
+mesg n || true
+
+sname="t-$(hostname)"
+
+if [[ -z "$TMUX" ]] && [ "$SSH_CONNECTION" != "" ]; then
+  tmux attach-session -t $sname || tmux new-session -s $sname
+  exit
+fi

roles/base/handlers/main.yaml

@@ -0,0 +1,5 @@
+---
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted

roles/base/tasks/main.yaml

@@ -0,0 +1,77 @@
+---
+- name: set time zone
+  file:
+    src: /usr/share/zoneinfo/Etc/UTC
+    dest: /etc/localtime
+    state: link
+- name: install packages
+  apt:
+    name:
+      - etckeeper
+      - logwatch
+      - unattended-upgrades
+      - needrestart
+      - htop
+      - unzip
+      - rkhunter
+      - iotop
+      - sudo
+      - tmux
+      - rsync
+    state: present
+- name: configure ssh kex and ciphers
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "{{item}}"
+    regexp: "{{item.split()[0]}}.*"
+    state: present
+  notify: restart sshd
+  loop:
+    - "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
+    - "HostKeyAlgorithms ssh-ed25519,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com"
+    - "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr"
+    - "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com"
+- name: disable ssh v1
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "Protocol 2"
+    regexp: "^Protocol"
+    state: present
+  notify: restart sshd
+- name: disable ssh root password login
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "PermitRootLogin without-password"
+    regexp: "^PermitRootLogin"
+    state: present
+  notify: restart sshd
+- name: disable ssh root check in rkhunter
+  lineinfile:
+    dest: /etc/rkhunter.conf
+    line: "{{item}}"
+    state: present
+  with_items:
+    - 'ALLOW_SSH_ROOT_USER=without-password'
+    - 'ALLOWHIDDENDIR=/etc/.git'
+    - 'ALLOWHIDDENFILE=/etc/.gitignore'
+    - 'ALLOWHIDDENFILE=/etc/.etckeeper'
+    - 'ALLOWDEVFILE=/dev/shm/rhm.*'
+- name: copy roots dotprofile
+  copy:
+    src: root.profile
+    dest: /root/.profile
+- name: create terminfo directory
+  file:
+    name: /etc/terminfo/x
+    state: directory
+- name: copy termite terminfo
+  copy:
+    src: xterm-termite
+    dest: /etc/terminfo/x/xterm-termite
+- name: enable services
+  systemd:
+    name: "{{item}}"
+    enabled: yes
+    state: started
+  with_items:
+    - unattended-upgrades

roles/wireguard/handlers/main.yaml

@@ -0,0 +1,3 @@
+---
+- name: ifup nodevpn
+  command: ifup nodevpn

roles/wireguard/tasks/main.yaml

@@ -0,0 +1,27 @@
+---
+- name: add unstable repo for wireguard
+  apt_repository:
+    repo: "deb http://deb.debian.org/debian/ unstable main"
+    update_cache: no
+- name: pin unstable as unwanted
+  blockinfile:
+    create: yes
+    path: /etc/apt/preferences.d/limit-unstable
+    block: |
+      Package: *
+      Pin: release a=unstable
+      Pin-Priority: 90
+- name: install wireguard
+  apt:
+    name: wireguard
+    update_cache: yes
+- name: configure wireguard
+  template:
+    dest: /etc/wireguard/nodevpn.conf
+    src: wireguard-nodevpn.conf.j2
+  notify: ifup nodevpn
+- name: configure wireguard interface
+  template:
+    dest: /etc/network/interfaces.d/nodevpn.cfg
+    src: interfaces-nodevpn.cfg.j2
+  notify: ifup nodevpn

roles/wireguard/templates/interfaces-nodevpn.cfg.j2

@@ -0,0 +1,7 @@
+auto nodevpn
+iface nodevpn inet static
+  address {{wg_ip}}
+  netmask 255.255.255.0
+  pre-up ip link add $IFACE type wireguard
+  pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
+  post-down ip link del $IFACE

roles/wireguard/templates/wireguard-nodevpn.conf.j2

@@ -0,0 +1,10 @@
+[Interface]
+PrivateKey = {{wg_private_key}}
+ListenPort = 51820
+
+{% for vars in hostvars.values() %}
+[Peer]
+Endpoint = {{vars.ansible_ssh_host}}:51820
+PublicKey = {{vars.wg_public_key}}
+AllowedIPs = {{vars.wg_ip}}
+{% endfor %}

site.yml

@@ -0,0 +1,6 @@
+---
+- name: deploy base setup
+  hosts: all
+  roles:
+    - base
+    - wireguard