Merge pull request #3 from secshellnet/development

Added nginx role, added support for fedora

.gitmodules

@@ -4,3 +4,6 @@
 [submodule "roles/ansible-role-sshd"]
 	path = roles/ansible-role-sshd
 	url = https://github.com/secshellnet/ansible-role-sshd
+[submodule "roles/ansible-role-nginx"]
+	path = roles/ansible-role-nginx
+	url = https://github.com/secshellnet/ansible-role-nginx

README.md

@@ -3,7 +3,11 @@
 This repository template provides a ansible inventory to manage cloud server in 
 hetzner cloud (hcloud). It performes some basic linux hardening (unattended upgrades, 
 ssh, fail2ban) and can be extended by roles or tasks to perform whatever you need.
-For now it only supports ubuntu (18.04, 20.04, 22.04) and debian (10, 11, 12), we tested both and they are working pretty good.
+
+## Supported Images
+- Ubuntu (18.04, 20.04, 22.04)
+- Debian (10, 11, 12)
+- Fedora (37, 38)
 
 ## Getting started
 1. Create a reporitory from this template repository and clone it:
@@ -91,6 +95,7 @@ hcloud-ansible
 ├── playbook.yaml
 ├── roles
 │   ├── ansible-role-fail2ban
+│   ├── ansible-role-nginx
 │   └── ansible-role-sshd
 └── tasks                        # ansible subtasks to be used in the playbooks
     ├── create-worker-user.yaml
@@ -101,7 +106,7 @@ hcloud-ansible
 - run OpenSCAP and check what could be improved
 
 ### think about
-- iptables firewall rules and/or hcloud firewall rules
+- (iptables/firewalld) firewall rules and/or hcloud firewall rules -> integration of hcloud would be independent of distribution -> if we want to support distros like fedora in future it would be better for now
 - auditd / rkhunter / AIDE / snort -> how to log it
 - disable core dumps via soft / hard limits
 - disable unused filesystems (cramfs, freevxfs, jffs2, hfs, hfsplus, udf, squashfs, dccp, rds, sctp, tips)

group_vars/all/vars.yaml

@@ -1,2 +1,5 @@
 ---
 worker_user: "worker"
+
+# features / roles to install
+install_nginx: false

playbook.yaml

@@ -13,29 +13,6 @@
     - ansible.builtin.include_role:
         name: "roles/ansible-role-sshd"
 
-    - name: "Install tools and requirements"
-      ansible.builtin.apt:
-        update_cache: true
-        name:
-          - python3-requests
-          - python3-apt
-          - curl
-          - wget
-          - dnsutils
-          - mtr
-          - tcpdump
-          - ncdu
-          - jq
-          - iptables
-          - iptables-persistent
-          - unattended-upgrades
-        state: present
-      become: true
-
-    - ansible.builtin.include_role:
-        name: "roles/ansible-role-fail2ban"
-
-  post_tasks:
     - name: "Remove labels from cloud server {{ inventory_hostname }}"
       hetzner.hcloud.hcloud_server:
         api_token: "{{ hcloud_api_token }}"
@@ -46,3 +23,37 @@
         state: present
       when: new_server
       delegate_to: localhost
+
+    - name: "Update repositories cache on systems using apt"
+      ansible.builtin.apt:
+        update_cache: yes
+      when: ansible_pkg_mgr == 'apt'
+      changed_when: false
+      become: true
+
+    - ansible.builtin.include_role:
+        name: "roles/ansible-role-fail2ban"
+
+    #- name: "Install tools and requirements"
+    #  ansible.builtin.apt:
+    #    name:
+    #      - python3-requests
+    #      - python3-apt
+    #      - curl
+    #      - wget
+    #      - dnsutils
+    #      - mtr
+    #      - tcpdump
+    #      - ncdu
+    #      - jq
+    #      - iptables
+    #      - iptables-persistent
+    #      - unattended-upgrades
+    #    state: present
+    #  become: true
+
+    - ansible.builtin.include_role:
+        name: "roles/ansible-role-nginx"
+      when: 
+        - enable_ipv4  # otherwise acme.sh cannot be installed
+        - install_nginx

tasks/create-worker-user.yaml

@@ -2,7 +2,7 @@
 - name: "Create low privileged unix user account {{ worker_user }}"
   ansible.builtin.user:
     name: "{{ worker_user }}"
-    groups: "sudo"
+    groups: "{{ (ansible_distribution in ['Ubuntu', 'Debian']) | ternary('sudo', 'wheel') }}"
     append: true
     shell: "/bin/bash"
   become: true