Bootstrap playbook splitted in roles

.gitignore

@@ -2,4 +2,7 @@
 .idea/
 
 ### Project specific stuff:
-/secrets.yml
+/secrets.yml
+*retry
+inventori
+test/.vagrant/*

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016 Guillaume Vincent
+Copyright (c) 2016 Jordi
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -11,6 +11,7 @@ Use this playbook if you want to improve the security of your server and want to
   - setup firewall
   - disallow password authentication
   - disallow root SSH access
+  - setup the time
 
 
 ## tldr
@@ -92,6 +93,7 @@ the encrypted information that you need to change :
     ADMIN_USERNAME: admin
     PUBLIC_KEYS:
       - ~/.ssh/id_rsa.pub
+    TIMEZONE: 'xxxxxx'
     #EXTRA_PACKAGES:
     #  - vim
     #  - htop
@@ -129,4 +131,20 @@ Imagine you run SSH on port 2222 and your ssh daemon crashes. Now any local user
 
 See why it's probably better to stay on port 22 [Should I change the default SSH port on linux servers?](http://security.stackexchange.com/a/32311/26203)
 
-Thanks Cryonine
+Thanks Cryonine
+
+### How to use the inventory file
+
+Having the write 
+
+    --inventory-file='192.168.1.100,'
+
+is not optimal and makes the command innecessarily long quite fast when you add more and more servers. The solution is quite
+simple, edit the file called inventoire and add your own list of IPs. Or create your own (remember to also add it to the
+.gitignore file). 
+
+    ansible-playbook --private-key=~/.ssh/id_rsa --ask-become-pass --ask-vault-pass -i inventoire bootstrap.yml
+
+If we want to limit the run of the playbook to just one machine:
+
+    ansible-playbook --private-key=~/.ssh/id_rsa --ask-become-pass --ask-vault-pass -i inventoire bootstrap.yml -l server1

bootstrap_roles.yml

@@ -0,0 +1,28 @@
+---
+- hosts: all
+  become: yes
+  become_user: root
+
+  vars:
+    SSH_PORT: 22
+    DEFAULT_PACKAGES:
+      - ufw
+      - fail2ban
+      - lsof
+      - vim
+      - tmux
+      - htop
+    DEFAULT_PACKAGES_RED:
+      - fail2ban
+      - vim
+      - htop
+      - tmux
+      - firewalld
+
+  roles:
+    - user
+    - packages
+    - ssh 
+    - time
+    - config_fail2ban
+    - auto_sec_updates

inventoire

@@ -0,0 +1,4 @@
+server1 ansible_ssh_host=192.168.0.21 ansible_ssh_user=pi
+server2 ansible_ssh_host=192.168.0.22 ansible_ssh_user=pi
+...
+servern ansible_ssh_host=192.168.0.n ansible_ssh_user=pi

roles/auto_sec_updates/files/10periodic

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";

roles/auto_sec_updates/tasks/deb.yml

@@ -0,0 +1,21 @@
+---
+  - name: Install unattended-upgrades
+    apt: state=installed pkg={{ item }}
+    with_items:
+      - unattended-upgrades
+
+  - name: Setup 10periodic
+    copy:
+      src: files/10periodic
+      dest: /etc/fail2ban/jail.local
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Setup allowed origins
+    template:
+      src: templates/50unattended-upgrades.j2
+      dest: /etc/apt/apt.conf.d/50unattended-upgrades
+      owner: root
+      group: root
+      mode: 0644

roles/auto_sec_updates/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+  - include: deb.yml
+    when: ansible_os_family == 'Debian' or ansible_distribution == 'Ubuntu'
+
+  - include: red.yml
+    when: ansible_os_family == 'RedHat'

roles/auto_sec_updates/tasks/red.yml

@@ -0,0 +1,3 @@
+---
+  - name: Message
+    debug: msg="Automatic security updates only available on RedHat"

roles/auto_sec_updates/templates/50unattended-upgrades.j2

@@ -0,0 +1,3 @@
+Unattended-Upgrade::Allowed-Origins {
+        "{{ ansible_distribution }} {{ ansible_distribution_release }}-security";
+};