diff --git a/main.yaml b/main.yaml index 2f5ab5a..ac981c2 100644 --- a/main.yaml +++ b/main.yaml @@ -1,5 +1,17 @@ --- - hosts: netflows - become: true roles: - netflows +- hosts: all + roles: + - common +- hosts: public + roles: + - public +- hosts: smbclient + roles: + - smbclient +- hosts: pi + roles: + - snmpd + diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index a791fe5..8d54d52 100755 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -1,9 +1,7 @@ --- -- hosts: all - tasks: - - name: Upgrade all packages o the latest version - become: true - apt: - upgrade: yes - update_cache: yes - tags: apt_upgrade +- name: Upgrade all packages o the latest version + become: true + apt: + upgrade: yes + update_cache: yes + tags: apt_upgrade diff --git a/roles/public/tasks/main.yaml b/roles/public/tasks/main.yaml index b12a02f..83de5d7 100755 --- a/roles/public/tasks/main.yaml +++ b/roles/public/tasks/main.yaml @@ -1,187 +1,185 @@ --- -- hosts: public - tasks: - - name: Install ufw packages - package: - name: ufw - state: present - become: true - - name: Allow all access from RFC1918 networks to this hosts - ufw: - rule: allow - src: '{{ item }}' - with_items: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - become: true - - name: Allow all access from any Comcast IP Space - become: true - ufw: - rule: allow - src: '{{ item }} ' - with_items: - - 72.94.169.223/32 - - 100.96.0.0/11 - - 103.72.193.0/24 - - 107.0.0.0/14 - - 107.4.0.0/15 - - 108.171.224.0/20 - - 147.191.0.0/16 - - 162.148.0.0/14 - - 162.17.0.0/16 - - 165.137.0.0/16 - - 169.152.0.0/16 - - 169.152.0.0/16 - - 173.160.0.0/13 - - 173.8.0.0/13 - - 174.160.0.0/11 - - 174.48.0.0/12 - - 184.108.0.0/14 - - 184.112.0.0/12 - - 193.57.148.0/22 - - 198.0.0.0/16 - - 198.137.252.0/23 - - 198.178.8.0/21 - - 207.223.0.0/20 - - 208.110.192.0/19 - - 208.39.128.0/18 - - 209.23.192.0/18 - - 216.45.128.0/17 - - 23.24.0.0/15 - - 23.30.0.0/15 - - 23.68.0.0/14 - - 232.128.0.0/13 - - 232.232.0.0/14 - - 232.36.0.0/14 - - 232.40.0.0/14 - - 232.44.0.0/14 - - 232.48.0.0/14 - - 232.52.0.0/14 - - 232.56.0.0/14 - - 232.64.0.0/14 - - 232.80.0.0/14 - - 232.96.0.0/14 - - 239.12.0.0/14 - - 239.16.0.0/14 - - 239.20.0.0/14 - - 239.24.0.0/14 - - 239.28.0.0/14 - - 239.32.0.0/14 - - 24.0.0.0/12 - - 24.104.0.0/17 - - 24.104.128.0/19 - - 24.118.0.0/16 - - 24.124.128.0/17 - - 24.125.0.0/16 - - 24.126.0.0/15 - - 24.128.0.0/16 - - 24.129.0.0/17 - - 24.130.0.0/15 - - 24.147.0.0/16 - - 24.149.128.0/17 - - 24.153.64.0/19 - - 24.153.72.0/21 - - 24.16.0.0/13 - - 24.218.0.0/16 - - 24.245.0.0/18 - - 24.30.0.0/17 - - 24.34.0.0/16 - - 24.40.0.0/18 - - 24.40.64.0/20 - - 24.60.0.0/14 - - 24.91.0.0/16 - - 24.98.0.0/15 - - 3.81.241.149 - - 50.128.0.0/9 - - 50.73.0.0/16 - - 50.76.0.0/14 - - 64.139.64.0/19 - - 64.235.160.0/19 - - 64.56.32.0/19 - - 64.78.64.0/18 - - 65.34.128.0/17 - - 65.96.0.0/16 - - 66.176.0.0/15 - - 66.208.192.0/18 - - 66.229.0.0/16 - - 66.240.0.0/18 - - 66.30.0.0/15 - - 66.41.0.0/16 - - 66.56.0.0/18 - - 67.160.0.0/11 - - 67.178.0.0/17 - - 67.178.128.0/17 - - 67.179.0.0/16 - - 68.32.0.0/11 - - 68.80.0.0/13 - - 68.85.0.0/20 - - 68.85.128.0/17 - - 68.85.16.0/20 - - 68.85.32.0/19 - - 68.85.64.0/18 - - 68.86.0.0/18 - - 68.86.128.0/17 - - 68.86.64.0/18 - - 68.87.0.0/20 - - 68.87.128.0/18 - - 68.87.16.0/20 - - 68.87.192.0/19 - - 68.87.224.0/20 - - 68.87.240.0/20 - - 68.87.32.0/19 - - 68.87.64.0/18 - - 69.136.0.0/13 - - 69.139.128.0/20 - - 69.139.144.0/20 - - 69.139.160.0/19 - - 69.139.192.0/18 - - 69.180.0.0/15 - - 69.240.0.0/12 - - 70.88.0.0/14 - - 71.192.0.0/12 - - 71.224.0.0/12 - - 71.24.0.0/14 - - 71.56.0.0/13 - - 72.55.0.0/17 - - 73.0.0.0/8 - - 74.144.0.0/12 - - 74.16.0.0/12 - - 74.81.128.0/19 - - 74.92.0.0/14 - - 75.144.0.0/13 - - 75.64.0.0/13 - - 75.72.0.0/15 - - 75.74.0.0/16 - - 75.75.0.0/17 - - 75.75.128.0/18 - - 75.75.72.0/21 - - 76.128.0.0/11 - - 76.16.0.0/12 - - 76.96.0.0/11 - - 96.100.0.0/14 - - 96.106.0.0/15 - - 96.108.0.0/17 - - 96.108.128.0/18 - - 96.108.192.0/19 - - 96.108.224.0/19 - - 96.109.0.0/16 - - 96.110.0.0/16 - - 96.111.0.0/16 - - 96.112.0.0/13 - - 96.120.0.0/14 - - 96.124.0.0/16 - - 96.128.0.0/10 - - 96.192.0.0/11 - - 96.64.0.0/11 - - 96.96.0.0/12 - - 98.192.0.0/10 - - 98.205.0.0/16 - - 98.241.0.0/16 - - 98.32.0.0/11 +- name: Install ufw packages + package: + name: ufw + state: present + become: true +- name: Allow all access from RFC1918 networks to this hosts + ufw: + rule: allow + src: '{{ item }}' + with_items: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + become: true +- name: Allow all access from any Comcast IP Space + become: true + ufw: + rule: allow + src: '{{ item }} ' + with_items: + - 72.94.169.223/32 + - 100.96.0.0/11 + - 103.72.193.0/24 + - 107.0.0.0/14 + - 107.4.0.0/15 + - 108.171.224.0/20 + - 147.191.0.0/16 + - 162.148.0.0/14 + - 162.17.0.0/16 + - 165.137.0.0/16 + - 169.152.0.0/16 + - 169.152.0.0/16 + - 173.160.0.0/13 + - 173.8.0.0/13 + - 174.160.0.0/11 + - 174.48.0.0/12 + - 184.108.0.0/14 + - 184.112.0.0/12 + - 193.57.148.0/22 + - 198.0.0.0/16 + - 198.137.252.0/23 + - 198.178.8.0/21 + - 207.223.0.0/20 + - 208.110.192.0/19 + - 208.39.128.0/18 + - 209.23.192.0/18 + - 216.45.128.0/17 + - 23.24.0.0/15 + - 23.30.0.0/15 + - 23.68.0.0/14 + - 232.128.0.0/13 + - 232.232.0.0/14 + - 232.36.0.0/14 + - 232.40.0.0/14 + - 232.44.0.0/14 + - 232.48.0.0/14 + - 232.52.0.0/14 + - 232.56.0.0/14 + - 232.64.0.0/14 + - 232.80.0.0/14 + - 232.96.0.0/14 + - 239.12.0.0/14 + - 239.16.0.0/14 + - 239.20.0.0/14 + - 239.24.0.0/14 + - 239.28.0.0/14 + - 239.32.0.0/14 + - 24.0.0.0/12 + - 24.104.0.0/17 + - 24.104.128.0/19 + - 24.118.0.0/16 + - 24.124.128.0/17 + - 24.125.0.0/16 + - 24.126.0.0/15 + - 24.128.0.0/16 + - 24.129.0.0/17 + - 24.130.0.0/15 + - 24.147.0.0/16 + - 24.149.128.0/17 + - 24.153.64.0/19 + - 24.153.72.0/21 + - 24.16.0.0/13 + - 24.218.0.0/16 + - 24.245.0.0/18 + - 24.30.0.0/17 + - 24.34.0.0/16 + - 24.40.0.0/18 + - 24.40.64.0/20 + - 24.60.0.0/14 + - 24.91.0.0/16 + - 24.98.0.0/15 + - 3.81.241.149 + - 50.128.0.0/9 + - 50.73.0.0/16 + - 50.76.0.0/14 + - 64.139.64.0/19 + - 64.235.160.0/19 + - 64.56.32.0/19 + - 64.78.64.0/18 + - 65.34.128.0/17 + - 65.96.0.0/16 + - 66.176.0.0/15 + - 66.208.192.0/18 + - 66.229.0.0/16 + - 66.240.0.0/18 + - 66.30.0.0/15 + - 66.41.0.0/16 + - 66.56.0.0/18 + - 67.160.0.0/11 + - 67.178.0.0/17 + - 67.178.128.0/17 + - 67.179.0.0/16 + - 68.32.0.0/11 + - 68.80.0.0/13 + - 68.85.0.0/20 + - 68.85.128.0/17 + - 68.85.16.0/20 + - 68.85.32.0/19 + - 68.85.64.0/18 + - 68.86.0.0/18 + - 68.86.128.0/17 + - 68.86.64.0/18 + - 68.87.0.0/20 + - 68.87.128.0/18 + - 68.87.16.0/20 + - 68.87.192.0/19 + - 68.87.224.0/20 + - 68.87.240.0/20 + - 68.87.32.0/19 + - 68.87.64.0/18 + - 69.136.0.0/13 + - 69.139.128.0/20 + - 69.139.144.0/20 + - 69.139.160.0/19 + - 69.139.192.0/18 + - 69.180.0.0/15 + - 69.240.0.0/12 + - 70.88.0.0/14 + - 71.192.0.0/12 + - 71.224.0.0/12 + - 71.24.0.0/14 + - 71.56.0.0/13 + - 72.55.0.0/17 + - 73.0.0.0/8 + - 74.144.0.0/12 + - 74.16.0.0/12 + - 74.81.128.0/19 + - 74.92.0.0/14 + - 75.144.0.0/13 + - 75.64.0.0/13 + - 75.72.0.0/15 + - 75.74.0.0/16 + - 75.75.0.0/17 + - 75.75.128.0/18 + - 75.75.72.0/21 + - 76.128.0.0/11 + - 76.16.0.0/12 + - 76.96.0.0/11 + - 96.100.0.0/14 + - 96.106.0.0/15 + - 96.108.0.0/17 + - 96.108.128.0/18 + - 96.108.192.0/19 + - 96.108.224.0/19 + - 96.109.0.0/16 + - 96.110.0.0/16 + - 96.111.0.0/16 + - 96.112.0.0/13 + - 96.120.0.0/14 + - 96.124.0.0/16 + - 96.128.0.0/10 + - 96.192.0.0/11 + - 96.64.0.0/11 + - 96.96.0.0/12 + - 98.192.0.0/10 + - 98.205.0.0/16 + - 98.241.0.0/16 + - 98.32.0.0/11 - - name: Enable UFW - ufw: - state: enabled - policy: deny - become: true +- name: Enable UFW + ufw: + state: enabled + policy: deny + become: true diff --git a/roles/smbclient/tasks/main.yaml b/roles/smbclient/tasks/main.yaml new file mode 100755 index 0000000..b2e1edc --- /dev/null +++ b/roles/smbclient/tasks/main.yaml @@ -0,0 +1,9 @@ +--- +- name: enable cron job for smb traffic + cron: + name: "smbtraff" + minute: "*/20" + hour: "7-18" + weekday: "1-5" + job: "/usr/bin/perl -e 'sleep int rand 1199' && /home/pi/scripts/smb-session.sh" + tags: smbtraff_cron diff --git a/roles/smbclient/tasks/playbook.yaml b/roles/smbclient/tasks/playbook.yaml deleted file mode 100755 index e3a94e4..0000000 --- a/roles/smbclient/tasks/playbook.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- hosts: smbclient - tasks: - - name: enable cron job for smb traffic - cron: - name: "smbtraff" - minute: "*/20" - hour: "7-18" - weekday: "1-5" - job: "/usr/bin/perl -e 'sleep int rand 1199' && /home/pi/scripts/smb-session.sh" - tags: smbtraff_cron diff --git a/roles/snmpd/tasks/main.yaml b/roles/snmpd/tasks/main.yaml index 2dd0f4f..13cf5dd 100755 --- a/roles/snmpd/tasks/main.yaml +++ b/roles/snmpd/tasks/main.yaml @@ -1,34 +1,32 @@ --- -- hosts: pi - tasks: - - name: Install snmpd Package - become: yes - apt: - name: ['snmpd'] - state: present - update_cache: true - tags: install_snmpd - - lineinfile: - path: /etc/snmp/snmpd.conf - state: present - backrefs: yes - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^\s+rocommunity\s+public\s+default\s+-V\s+systemonly', line: ' rocommunity public' } - - { regexp: '^agentAddress\s+udp:127.0.0.1:161', line: 'agentAddress udp:161' } - tags: configure_snmpd - become: true - - name: enable snmpd service and ensure it is not masked - systemd: - name: snmpd - enabled: yes - masked: no - state: restarted - tags: enablestart_snmpd - become: true - - name: set timezone - become: true - timezone: - name: America/New_York - tags: set_timezone +- name: Install snmpd Package + become: yes + apt: + name: ['snmpd'] + state: present + update_cache: true + tags: install_snmpd +- lineinfile: + path: /etc/snmp/snmpd.conf + state: present + backrefs: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^\s+rocommunity\s+public\s+default\s+-V\s+systemonly', line: ' rocommunity public' } + - { regexp: '^agentAddress\s+udp:127.0.0.1:161', line: 'agentAddress udp:161' } + tags: configure_snmpd + become: true +- name: enable snmpd service and ensure it is not masked + systemd: + name: snmpd + enabled: yes + masked: no + state: restarted + tags: enablestart_snmpd + become: true +- name: set timezone + become: true + timezone: + name: America/New_York + tags: set_timezone