From c8a46b53dc33363759fdaa91e338a884f412148c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Pradel?= Date: Sun, 9 Nov 2025 18:16:59 +0100 Subject: [PATCH 1/4] chore: change ansible defaults --- ansible/docker/handlers/main.yml | 6 ++-- ansible/docker/tasks/main.yml | 34 ++++++++++++++------- ansible/firewall/tasks/main.yml | 24 +++++++-------- ansible/packages/handlers/main.yml | 12 ++++---- ansible/packages/tasks/main.yml | 39 ++++++++++++++++++------ ansible/playbook.yml | 8 +++-- ansible/reboot_if_needed/tasks/main.yml | 9 ++++++ ansible/requirements.yml | 3 ++ ansible/security/handlers/main.yml | 5 ++++ ansible/security/tasks/main.yml | 38 +++++++++++++++++++++++ ansible/snap/tasks/main.yml | 8 ----- ansible/ssh/handlers/main.yml | 5 ---- ansible/ssh/tasks/main.yml | 40 ------------------------- 13 files changed, 136 insertions(+), 95 deletions(-) create mode 100644 ansible/reboot_if_needed/tasks/main.yml create mode 100644 ansible/requirements.yml create mode 100644 ansible/security/handlers/main.yml create mode 100644 ansible/security/tasks/main.yml delete mode 100644 ansible/snap/tasks/main.yml delete mode 100644 ansible/ssh/handlers/main.yml delete mode 100644 ansible/ssh/tasks/main.yml diff --git a/ansible/docker/handlers/main.yml b/ansible/docker/handlers/main.yml index 4e8c5a0e..77ac3dbc 100644 --- a/ansible/docker/handlers/main.yml +++ b/ansible/docker/handlers/main.yml @@ -1,6 +1,6 @@ --- -- name: restart docker - service: +- name: Restart docker + ansible.builtin.service: name: docker state: restarted - enabled: yes + enabled: true diff --git a/ansible/docker/tasks/main.yml b/ansible/docker/tasks/main.yml index 0bd8474b..443c39e5 100644 --- a/ansible/docker/tasks/main.yml +++ b/ansible/docker/tasks/main.yml @@ -1,32 +1,46 @@ --- +# See: https://docs.docker.com/engine/install/ubuntu/ + - name: Ensure old versions of Docker are not installed - package: + ansible.builtin.apt: name: + - containerd - docker - - docker.io + - docker-compose + - docker-compose-v2 + - docker-doc - docker-engine + - docker.io + - podman-docker + - runc state: absent -- name: Add Docker apt key - get_url: +- name: Create directory for Docker GPG key + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + mode: "0755" + +- name: Add Docker GPG apt key + ansible.builtin.get_url: url: "https://download.docker.com/linux/ubuntu/gpg" - dest: /etc/apt/trusted.gpg.d/docker.asc - mode: 0644 + dest: /etc/apt/keyrings/docker.asc + mode: "0644" force: false - name: Add Docker repository - apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" state: present filename: docker update_cache: true - name: Install Docker packages - package: + ansible.builtin.apt: name: - docker-ce - docker-ce-cli - containerd.io state: present notify: - - restart docker + - Restart docker diff --git a/ansible/firewall/tasks/main.yml b/ansible/firewall/tasks/main.yml index 7e255c12..805555cf 100644 --- a/ansible/firewall/tasks/main.yml +++ b/ansible/firewall/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Configure ufw defaults - ufw: + community.general.ufw: direction: "{{ item.direction }}" policy: "{{ item.policy }}" loop: @@ -10,21 +10,21 @@ policy: allow - name: Configure ufw rules - ufw: + community.general.ufw: rule: "{{ item.rule }}" port: "{{ item.port }}" proto: "{{ item.proto }}" loop: - - rule: 'limit' - port: '22' - proto: 'tcp' - - rule: 'allow' - port: '80' - proto: 'tcp' - - rule: 'allow' - port: '443' - proto: 'tcp' + - rule: "limit" + port: "22" + proto: "tcp" + - rule: "allow" + port: "80" + proto: "tcp" + - rule: "allow" + port: "443" + proto: "tcp" - name: Enable ufw - ufw: + community.general.ufw: state: enabled diff --git a/ansible/packages/handlers/main.yml b/ansible/packages/handlers/main.yml index 1ba94469..de741ee9 100644 --- a/ansible/packages/handlers/main.yml +++ b/ansible/packages/handlers/main.yml @@ -1,12 +1,12 @@ --- -- name: start ntp - service: +- name: Start ntp + ansible.builtin.service: name: ntp state: started - enabled: yes + enabled: true -- name: start fail2ban - service: +- name: Start fail2ban + ansible.builtin.service: name: fail2ban state: started - enabled: yes + enabled: true diff --git a/ansible/packages/tasks/main.yml b/ansible/packages/tasks/main.yml index da4dd536..d0e4a885 100644 --- a/ansible/packages/tasks/main.yml +++ b/ansible/packages/tasks/main.yml @@ -1,16 +1,29 @@ --- +- name: Ensure apt key is not present in trusted.gpg.d + ansible.builtin.file: + path: /etc/apt/trusted.gpg.d/docker.asc + state: absent + +- name: Ensure the repo referencing the previous trusted.gpg.d key is not present + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + state: absent + filename: "docker" + update_cache: true + - name: Upgrade packages - apt: - update_cache: yes - upgrade: yes + ansible.builtin.apt: + update_cache: true + upgrade: true - name: Install packages - apt: + ansible.builtin.apt: name: - apt-transport-https - build-essential - ca-certificates - curl + - duf - fail2ban - git - gnupg @@ -22,9 +35,17 @@ # Used by stacks-blockchain-docker to download big files faster during initial sync - aria2 state: latest - update_cache: yes - autoremove: yes - autoclean: yes + update_cache: true + autoremove: true + autoclean: true notify: - - start ntp - - start fail2ban + - Start ntp + - Start fail2ban + +- name: Remove snap + ansible.builtin.apt: + name: + - snapd + - snap + state: absent + purge: true diff --git a/ansible/playbook.yml b/ansible/playbook.yml index e43e79f0..812efabf 100755 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -4,9 +4,13 @@ strategy: free vars: ssh_key_path: "/path/to/your/local/id_rsa.pub" + # Whether to reboot when needed during unattended upgrades. + security_autoupdate_reboot: "false" + # The time to trigger a reboot, when needed, if security_autoupdate_reboot is set to true. In 24h "hh:mm" clock format. + security_autoupdate_reboot_time: "03:00" roles: - packages - docker - firewall - - ssh - - snap + - security + - reboot_if_needed diff --git a/ansible/reboot_if_needed/tasks/main.yml b/ansible/reboot_if_needed/tasks/main.yml new file mode 100644 index 00000000..2ae8e31d --- /dev/null +++ b/ansible/reboot_if_needed/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: Check if reboot is required + ansible.builtin.stat: + path: /var/run/reboot-required + register: reboot_required_file + +- name: Reboot the machine if needed + ansible.builtin.reboot: + when: reboot_required_file.stat.exists == true diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 00000000..8dd51618 --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,3 @@ +--- +collections: + - community.general diff --git a/ansible/security/handlers/main.yml b/ansible/security/handlers/main.yml new file mode 100644 index 00000000..66657086 --- /dev/null +++ b/ansible/security/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart ssh + ansible.builtin.service: + name: ssh + state: restarted diff --git a/ansible/security/tasks/main.yml b/ansible/security/tasks/main.yml new file mode 100644 index 00000000..881a83a7 --- /dev/null +++ b/ansible/security/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Update SSH configuration to be more secure + ansible.builtin.lineinfile: + dest: "/etc/ssh/sshd_config" + regexp: "^(#)?{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" + state: present + validate: "sshd -T -f %s" + mode: "0644" + loop: + - { key: "PasswordAuthentication", value: "no" } + - { key: "PermitRootLogin", value: "prohibit-password" } + - { key: "Port", value: "22" } + - { key: "UseDNS", value: "no" } + - { key: "PermitEmptyPasswords", value: "no" } + - { key: "ChallengeResponseAuthentication", value: "no" } + - { key: "GSSAPIAuthentication", value: "no" } + - { key: "X11Forwarding", value: "no" } + notify: + - Restart ssh + +- name: Update unattended-upgrades configuration to be more secure + ansible.builtin.lineinfile: + dest: "/etc/apt/apt.conf.d/50unattended-upgrades" + regexp: "^(\/\/)?{{ item.key }} " + line: '{{ item.key }} "{{ item.value }}";' + state: present + mode: "0644" + loop: + - { + key: "Unattended-Upgrade::Automatic-Reboot", + value: "{{ security_autoupdate_reboot }}", + } + - { + key: "Unattended-Upgrade::Automatic-Reboot-Time", + value: "{{ security_autoupdate_reboot_time }}", + } + when: security_autoupdate_reboot == "true" diff --git a/ansible/snap/tasks/main.yml b/ansible/snap/tasks/main.yml deleted file mode 100644 index b15941d6..00000000 --- a/ansible/snap/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Remove snap - apt: - name: - - snapd - - snap - state: absent - purge: true diff --git a/ansible/ssh/handlers/main.yml b/ansible/ssh/handlers/main.yml deleted file mode 100644 index 822887e3..00000000 --- a/ansible/ssh/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart ssh - service: - name: ssh - state: restarted diff --git a/ansible/ssh/tasks/main.yml b/ansible/ssh/tasks/main.yml deleted file mode 100644 index 7d0ab0fd..00000000 --- a/ansible/ssh/tasks/main.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- name: Ensure the user directory exists - file: - path: /root/.ssh - state: directory - mode: '0700' - -- name: Copy SSH key from local machine to the server - copy: - src: "{{ ssh_key_path }}" - dest: /root/.ssh/authorized_keys - mode: '0600' - -- name: Update SSH configuration to be more secure - lineinfile: - dest: "/etc/ssh/sshd_config" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - validate: 'sshd -T -f %s' - mode: 0644 - with_items: - - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication no" - - regexp: "^PermitRootLogin" - line: "PermitRootLogin prohibit-password" - - regexp: "^Port" - line: "Port 22" - - regexp: "^UseDNS" - line: "UseDNS no" - - regexp: "^PermitEmptyPasswords" - line: "PermitEmptyPasswords no" - - regexp: "^ChallengeResponseAuthentication" - line: "ChallengeResponseAuthentication no" - - regexp: "^GSSAPIAuthentication" - line: "GSSAPIAuthentication no" - - regexp: "^X11Forwarding" - line: "X11Forwarding no" - notify: - - restart ssh From 4c23926986966a0a1bc459decf504ab91f15e869 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Pradel?= Date: Sun, 9 Nov 2025 18:19:00 +0100 Subject: [PATCH 2/4] Update main.yml --- ansible/docker/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/docker/tasks/main.yml b/ansible/docker/tasks/main.yml index 443c39e5..dcfdd099 100644 --- a/ansible/docker/tasks/main.yml +++ b/ansible/docker/tasks/main.yml @@ -41,6 +41,8 @@ - docker-ce - docker-ce-cli - containerd.io + - docker-buildx-plugin + - docker-compose-plugin state: present notify: - Restart docker From d6d6758ec1c41e62b87e93b0e46dcafbd94d1bdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Pradel?= Date: Sun, 9 Nov 2025 18:26:15 +0100 Subject: [PATCH 3/4] use architecture --- ansible/docker/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ansible/docker/tasks/main.yml b/ansible/docker/tasks/main.yml index dcfdd099..d5e0f28c 100644 --- a/ansible/docker/tasks/main.yml +++ b/ansible/docker/tasks/main.yml @@ -28,9 +28,13 @@ mode: "0644" force: false +- name: Get DEB architecture + shell: dpkg --print-architecture + register: deb_architecture + - name: Add Docker repository ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + repo: "deb [arch={{ deb_architecture.stdout }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" state: present filename: docker update_cache: true From 8a410c61be0959b34d9fe064c3971f74838e7bea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Pradel?= Date: Sun, 9 Nov 2025 18:29:25 +0100 Subject: [PATCH 4/4] Update main.yml --- ansible/security/tasks/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ansible/security/tasks/main.yml b/ansible/security/tasks/main.yml index 881a83a7..a4fc13d5 100644 --- a/ansible/security/tasks/main.yml +++ b/ansible/security/tasks/main.yml @@ -1,4 +1,16 @@ --- +- name: Ensure the user directory exists + file: + path: /root/.ssh + state: directory + mode: "0700" + +- name: Copy SSH key from local machine to the server + copy: + src: "{{ ssh_key_path }}" + dest: /root/.ssh/authorized_keys + mode: "0600" + - name: Update SSH configuration to be more secure ansible.builtin.lineinfile: dest: "/etc/ssh/sshd_config"