├── .gitignore
├── README.md
├── harden.yml
├── hosts
    ├── environment1
    │   ├── group_vars
    │   │   └── all.yml
    │   ├── inventory
    │   └── secrets.yml
    ├── environment2
    │   ├── group_vars
    │   │   └── all.yml
    │   ├── inventory
    │   └── secrets.yml
    ├── shared-secrets.yml
    └── shared-vars.yml
├── roles
    └── harden
    │   ├── files
    │       ├── apt_periodic
    │       └── home.pub
    │   ├── tasks
    │       └── main.yml
    │   └── vars
    │       └── main.yml
└── tasks
    └── load-vars.yml


/.gitignore:
--------------------------------------------------------------------------------
1 | .idea


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ansible-multienv-base
 2 | Template for ansible project that allows to easily manage multiple environments (e.g. staging, test, production) and harden new hosts
 3 | 
 4 | # Description
 5 | This is my base template for ansible projects requiring multiple environment deployment. 
 6 | General idea is to use multiple inventories, and be able to easily add new hosts / groups / environments, each with own variables.
 7 | 
 8 | # Structure
 9 | ```
10 | |- hosts
11 | |  |- shared-secrets.yml  # encrypted vars, used in all environments
12 | |  |- shared-vars.yml     # not encrypted vars, used in all environments
13 | |  |- environment1        # directory for environment (e.g. test or staging)
14 | |  |  |- inventory        # inventory file with definitions of all required hosts
15 | |  |  |- secrets.yml      # encrpted vars for this environment
16 | |  |  |- groups_vars
17 | |  |     |- all.yml       # normal group_vars, like in typical ansible project
18 | |  |- environment2        # directory for other environment
19 | |     |- inventory
20 | |     |- secrets.yml
21 | |     |- groups_vars
22 | |        |- all.yml
23 | |- roles                  # all ansible roles used in playbooks
24 | |  |- role1
25 | |     |- ...
26 | |- playbook1.yml          # here we put our playbooks
27 | ```
28 | 
29 | # Usage
30 | ```
31 | git clone https://github.com/Valian/ansible-multienv-base
32 | ```
33 | Next, we must create our playbooks, fill inventories and variables, create roles etc. 
34 | To encrypt secret variables file, use
35 | ```
36 | ansible-vault encrypt path-to-file     # Caution! Pass must be the same in every encrypted file
37 | ```
38 | 
39 | There is also a special task, that we should include in pre_tasks in each playbook, called tasks/load_vars.yml.
40 | To run playbook against specified environemnt, we must use
41 | ```
42 | ansible-playbook -i hosts/desired_env/inventory --ask-vault-pass playbook.yml
43 | ```
44 | 
45 | Hope this will be helpful to somebody.
46 | 
47 | You can find me on Twitter @jskalc
48 | 


--------------------------------------------------------------------------------
/harden.yml:
--------------------------------------------------------------------------------
1 | ---
2 | 
3 | - hosts: all
4 |   pre_tasks:
5 |    - include: tasks/load-vars.yml
6 |   roles:
7 |     - role: harden


--------------------------------------------------------------------------------
/hosts/environment1/group_vars/all.yml:
--------------------------------------------------------------------------------
1 | ---


--------------------------------------------------------------------------------
/hosts/environment1/inventory:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Valian/ansible-multienv-base/509c4f8523791235d63080c326c0c30e5c369212/hosts/environment1/inventory


--------------------------------------------------------------------------------
/hosts/environment1/secrets.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 31366231373435316238333266393431666136373463306637323635313833303037336639363530
3 | 6338613761613265303932653237653461356532343664660a656362333132636535646535363432
4 | 37623363643265666465303464663638313837663834366131343932663230643638636364613834
5 | 3138616666613533300a343161323863376234366663343765326231396463626364313633633365
6 | 3264
7 | 


--------------------------------------------------------------------------------
/hosts/environment2/group_vars/all.yml:
--------------------------------------------------------------------------------
1 | ---


--------------------------------------------------------------------------------
/hosts/environment2/inventory:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Valian/ansible-multienv-base/509c4f8523791235d63080c326c0c30e5c369212/hosts/environment2/inventory


--------------------------------------------------------------------------------
/hosts/environment2/secrets.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 65363037363338376635646636623161346266333331623065363764303263633761353937333062
3 | 3034396335613632303431656663356532633735383530320a376631343133613633636436613433
4 | 38666231386432333236376638316539653531646637643961653430393533653631323661323830
5 | 6162313436613732340a333430326366393064613165316565646232386162636462326438613734
6 | 3364
7 | 


--------------------------------------------------------------------------------
/hosts/shared-secrets.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 31393462613239303566356362373339633431613362333334663337353033316538653232636365
3 | 6439303731616532393730313734383736303562396136660a313833653532636632356236376563
4 | 61656263653234313436366462346662333061333835646335323461363738333531663637643836
5 | 3336353632333031380a356463316138313438613339303430353331326133336535653665316262
6 | 61663132393030386564633265303938646639323062623161646162306239316639336465373633
7 | 6163643231356539633165653739626564333739653338343438
8 | 


--------------------------------------------------------------------------------
/hosts/shared-vars.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Valian/ansible-multienv-base/509c4f8523791235d63080c326c0c30e5c369212/hosts/shared-vars.yml


--------------------------------------------------------------------------------
/roles/harden/files/apt_periodic:
--------------------------------------------------------------------------------
1 | APT::Periodic::Update-Package-Lists "1";
2 | APT::Periodic::Download-Upgradeable-Packages "1";
3 | APT::Periodic::AutocleanInterval "7";
4 | APT::Periodic::Unattended-Upgrade "1";


--------------------------------------------------------------------------------
/roles/harden/files/home.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIJdf7A5JCMU2hX+7EtMUbPqUEOIRTCWu2J026IIdv60wQNEc0lN3TjkhtU5ExdfY1vS1fBV6uEwUe97UCGxi7yBwkQXJ6Epx6eIaQwpeoXeltwOL2hPHROL45O3dRuB4trM4rFYjvmbmtXKURVPRTjyipTiBe6CINwHmQMbpiyt2KjCxuBa8EuXc0u9ixGc7Zv+11C57j5WM+dORGFa/Wqjn+yMKyPSQpLNiVIQ8RzftS0yKV/RRXvuwsXO4ZlZ2ho1OAWAu9T/r3Ym2mch0qNervhPORCAEBzWRCahNwPqPk6HvnA6gztqj5B9tLKqpse6JDB92FB7MUu3xKc9oB
2 | 


--------------------------------------------------------------------------------
/roles/harden/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - name: add ubuntu user
 4 |   user: name=ubuntu password="{{ ubuntu_password_crypted }}" shell=/bin/bash
 5 | 
 6 | - name: Remove sudo group rights
 7 |   lineinfile: dest=/etc/sudoers regexp="^%sudo" state=absent
 8 | 
 9 | - name: Add ubuntu user sudo rights
10 |   lineinfile: dest=/etc/sudoers regexp="ubuntu ALL" line="ubuntu ALL=(ALL) ALL" state=present
11 | 
12 | - name: update and upgrade apt-get
13 |   apt: update_cache=yes upgrade=full
14 | 
15 | - name: Install security packages
16 |   apt: pkg="{{ item }}" state=present
17 |   with_items:
18 |     - ufw
19 |     - fail2ban
20 |     - unattended-upgrades
21 | 
22 | - name: Install optional packages
23 |   apt: pkg="{{ item}}" state=present
24 |   with_items:
25 |     - vim
26 | 
27 | - name: Adjust APT update intervals
28 |   copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic
29 | 
30 | - name: allow ssh on ufw
31 |   ufw: rule=allow name=OpenSSH
32 | 
33 | - name: policy - deny
34 |   ufw: policy=deny
35 | 
36 | - name: enable ufw
37 |   ufw: state=enabled
38 | 
39 | - name: add authorized_keys for ubuntu user
40 |   authorized_key: user=ubuntu key="{{ item }}"
41 |   with_file: keys
42 | 
43 | - name: Disallow root SSH access
44 |   action: lineinfile dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin no" state=present
45 |   notify: restart sshd
46 | 
47 | - name: Disallow password authentication
48 |   action: lineinfile dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
49 |   notify: restart sshd
50 | 


--------------------------------------------------------------------------------
/roles/harden/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | 
3 | keys:
4 |   - home.pub


--------------------------------------------------------------------------------
/tasks/load-vars.yml:
--------------------------------------------------------------------------------
1 | ---
2 | 
3 | - include_vars: "hosts/shared-secrets.yml"
4 | - include_vars: "{{ inventory_dir }}/secrets.yml"
5 | - include_vars: "hosts/shared-vars.yml"


--------------------------------------------------------------------------------