-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.yml
72 lines (66 loc) · 1.99 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/env ansible-playbook
---
# See README.md for installation & guidance
- hosts: all
become: true
# Edit the config file to suit your particular requirements
vars_files:
- config.yml
pre_tasks:
# Several roles need to know the "real" Ansible user. These pre-tasks make
# that possible.
- name: Get currently logged-in user
become: false
ansible.builtin.command: whoami
register: whoami_output
changed_when: false
tags: always
- name: Make currently logged-in user available as "playbook_user" variable
ansible.builtin.set_fact:
playbook_user: "{{ whoami_output.stdout }}"
tags: always
# Simple tasks that don't merit a role
tasks:
- name: Set time zone
community.general.timezone:
name: "{{ server_timezone }}"
tags: [timezone, init]
# - name: Show OS version
# debug:
# var: ansible_facts['distribution']
# tags: [debug_os]
roles:
# This role runs every time and drops a version file in /etc
- role: version
tags: [version, always]
# Security, including external hardening roles
- role: devsec.hardening.os_hardening
vars:
os_filesystem_whitelist: squashfs # Needed for Snaps
tags: [osharden, devsec, security]
- role: devsec.hardening.ssh_hardening
vars:
sftp_enabled: true # Ansible prefers to use SFTP to copy files
sftp_chroot: false
tags: [sshharden, devsec, security]
- role: selinux
tags: [selinux, security]
- role: firewall
tags: [firewall, security]
- role: name
tags: [name, init]
- role: network
tags: [network, init]
- role: packages
tags: [packages, init]
- role: user
tags: [user, init]
- role: gnome
tags: [gnome, desktop]
# dconf is used to lock down the desktop
- role: dconf
tags: [dconf, desktop]
- role: gui_packages
tags: [gui_packages, desktop]
- role: proxy
tags: [proxy, security]