no solarized color scheme

base.yml

@@ -40,6 +40,22 @@
       tags: sshkeys
 
 
+- name: Install firewall
+  hosts: "{{ machine_name }}"
+  vars:
+  - firewall_allowed_tcp_ports:
+    - "{{ ssh_port }}"
+    - "80"
+    - "443"
+    - "8080" # cadvisor
+    - "9100" # nodeexporter
+    - "3100" # loki
+    - "9113" # nginxexporter
+  roles:
+    - role: firewall
+      become: yes
+
+
 - name: Set up dotfiles
   hosts: "{{ machine_name }}"
   roles:

dockprom.yml

@@ -2,12 +2,10 @@
 # deploy dockprom pod to dev stage
 
 - name: Install dockprom docker pod
-  hosts:
-  - bespin
+  hosts: "{{ machine_name }}"
   vars:
-    install_client_service: "true"
-    dockprom_bind_ip: "192.168.30.10"
+  - install_client_service: "true"
+  - dockprom_bind_ip: "192.168.30.40"
   roles:
   - role: pod-dockprom
     become: yes
-

firewall.yml

@@ -0,0 +1,25 @@
+---
+# Playbook for firewall role
+
+
+- name: Set up SSH keys
+  hosts: "{{ machine_name }}"
+  roles:
+    - role: sshkeys
+      tags: sshkeys
+
+
+- name: Install firewall
+  hosts: "{{ machine_name }}"
+  vars:
+  - firewall_allowed_tcp_ports:
+    - "{{ ssh_port }}"
+    - "80"
+    - "443"
+    - "8080" # cadvisor
+    - "9100" # nodeexporter
+    - "3100" # loki
+    - "9113" # nginxexporter
+  roles:
+    - role: firewall
+      become: yes

group_vars/all/main.yml

@@ -30,15 +30,20 @@ charlesreid1_port_ssl_gitea: "443"
 # pyenv variables
 pyenv_root: "/home/{{ username }}/.pyenv"
 pyenv_versions:
-  - miniconda3-4.3.30
+  - 3.7.9
+#  - miniconda3-4.3.30
 #  - 3.7.5
 #  - 3.8.0
-pyenv_global_version: miniconda3-4.3.30
+pyenv_global_version: 3.7.9
 pyenv_python: "{{ pyenv_root }}/versions/{{ pyenv_global_version }}/bin/python"
 pyenv_pip: "{{ pyenv_root }}/versions/{{ pyenv_global_version }}/bin/pip"
 
 
 
+# ports
+ssh_port: 5778
+
+
 ########################
 # vault variables
 

group_vars/all/vault

@@ -1,60 +1,59 @@
 $ANSIBLE_VAULT;1.1;AES256
-37633430646463656366396433396462383465383039636132376164626364336664366230383964
-3835663562353932346533306238653031623937313935320a306134636538383366383637636234
-34633239656434313565306133366539353664333536313739333766303666373162636532633436
-3935623266616435340a356234616231646334633239336363633166373563343363313366663464
-33316161626238373162306332343335656534663963316365396635623237333631336564636161
-61363861313564323539333836393364373738373236633636373365343632613435383237623562
-61393261333431626234623437636433643964383138623633316465653562623533326562663837
-39356633366539346433303139663733383239316434376137313838376462646231643839646163
-66373237653136333534643636666138653136623465633738633165366632363235633134356362
-36346261363837643238306332323238336132306265616363303532346362613766306433623565
-33373134646366346265633562306634303736613563653061333461636465313261343565386131
-39333438633332376638373431643064653337303564643533386436353865346139383936643737
-66666130323533373966363062646433336235373766313363666539383865646464326465363332
-30616662623863623533316536653132316535376630623165656335353163653761633465383332
-33623530316135616264366436346332353265346136626337633632323538653539326234346632
-37336461646666346235306535646530336635326536616635316162326133636261656262636138
-34636534313536623364663830366264373433373066363934396338303766333831643163326130
-64623761383334333266356338626630366162643764666264316139663361373562353164393431
-65656134333561643165623036666139333335323066636262386336666461646631623564653733
-30646462396131336262376264373963626531616665616630623532353739623938623234326635
-62633166303563383564363465333433316263623665323332663131353765393463306561663861
-64326564663165666234306664396335313933656332363064643661656162393831386431653339
-62653365393031383836626139303335396236326239643266313261326164646338613733363063
-33666436653439336639316539626634626661646638333863643266626466633530376266313339
-32383636646131346639656238373962393539633231386663343533336266393862383163383962
-34626264383635303435616234396664646136373436326163323761373636373162653531646434
-31643263636433656161303666313130306165613336343934343761636537643566666436623235
-65353737663034376333373835366131383235303863666231643663626130663737313662653533
-34353732386562383863306637663266363064336536613631373464636334646166396435363763
-66323232653437313535346561356632343039636435373739306263396533616333616532306439
-61383730353534333962363334313331636232666261613566393833313932353434323763343733
-34346639363037383962653437343630366237316530396365343364363434653766386239343438
-30626166333163333164326536323334646465613235363734653736626163303361396233646135
-61313862616431353161306238376336373434373331666233356264343466353536373961653662
-63363936333938303037323730636262356136336564623064356666636334666364646130613134
-66663063303361666366613163393861303835356461643865333035363161383237356434356538
-38623831316363656435313737666163313137323431313936316534366430633264633033653038
-37666663383763303936373465383437616338653430343035626662393330326562643139333364
-36616465636231393266373638373433616438343564366233343631643234393764653337636334
-64396236333965613537393034623232373731303965346263613161633336636131366533333635
-65343732313963313062303333383839333130653766393334366331363336346137323261363639
-64626364616361386365633066363566643530383564663063623931313833626264326463376139
-36613836316538373366653537333430613765633032663235383661626331363438323962363133
-62363836313837373665306263663733336564633936306331656334353665633936633339626235
-63626637656462343438326536643837393339653837366433396633646461643731616265616238
-63656332313434633866643961633130396432363431306562653530343736373630623061386636
-61386165373730623934653736343964383039366437613063383636363862646233666137623635
-36303765633431313933353161336236663736643036636365623965653164303535366637343937
-36386235353339336239303961663165313263303334643238393039373233656164356138383136
-38643863666230353938653062383963393362396266393165333461333035666632356131373835
-39646231613332343638373961356666393533653235303034626162666633626566366564396330
-63323939376539646261353433663237393237323833613933323332643334366663653836306535
-32353736376665396235353661313866643633613239626638343662363832303363386638646261
-31383565646438313331626330316462613638346565303232363437333531363330636435666338
-66316364303138323835663761373865656266396231643339613934396562383665663736393561
-64646438326262386464656236636162323064396431383333316134313238626464653565396237
-64353336323636303532383932306436393631333132383565373134636230356634356266306338
-34303332666666616636633265346563383738363762356136346163363665353332383763323238
-313736636134323433336637303939303836
+62626164613766613162653233616565393064366366303463653761626435663236366237663931
+3938316262353261666435313766306438656330653561330a303036313536363263633635636435
+33363266643233363838616239333061316432346362383063326630623532363862666331373137
+6161643632353730350a656335663536366264633634323263386461646161386233646639393862
+32663162613130343463646363653663363237303436623138633366316163323164623366616538
+31306336383434656536383339383535646461326539653934363436333363633963313239383938
+30666333373537653338316633643436313732346261656330643162343230636163343136353464
+33646237663338636134613832623338316463366338623662363665633561316565306664663533
+62336636626136613465346533316237626335656632373535383137353264306337633637653762
+34366561386462306464373263363537303465306533303935383130393161343030323337343932
+33323839326665643734643064353838643436626363643733363232386665323761303165383236
+33393533333361383566616335343336303730656432306632326134653239306334306438646437
+65323339303038656239333230323037343466393134353731643033643065333431623333663264
+61306132636637353734373064343965386233663031313836306639313533303130306663316666
+30626564373066333561633363383733313063346564336338653737346130313432653231353732
+64636661346434616536636638623265396330343639613139623965373131336363376333626162
+65386562613362613266336565303065663132336263636535623639383035343131336532393466
+66666563623863653566336464363738366566343462366263653434303364623237633763333864
+34313362643665613834303533653533326531396132613539363434363463303263643433363866
+35353331633436346238616231656166343030613935343332363132363135353063386563366438
+61653739373534313164373262326233613032353835616334396332643262616665326130386462
+37363734633964363937633336326361313561373066643766356462333562373565643138333065
+66613165393539663239396561393235653236646537656637356430323731643761613061393665
+32636262343861386264326666613230373966316561653637336465653831343531363439323433
+65343430303361663437666230383236656538326466636366373366326637633063383538643461
+64643431656535623961313164623764376130633839306632376237633734343635393164356363
+39636261666639626261313962386434626533313538393463623365643065633432386630386434
+34313164313366353862653838356431323764633133303962346663303836333361613333666463
+34633032393861386332383236366432396337353539616132336537326663303263613464346235
+37373163383164306233653265356136393364316637626361353432333436306634643462333530
+63623330666237636138633131646232663531326462303837393236656662666233316532373162
+62353366326238313131366234646532626565666563393139376536643936313736626166313466
+61383461383538386566356333396464373636626266373239623266356263323532646366343966
+39666566623964303834326330303437626431356261396663373031306164636131383338313661
+38373034663266663763656436666137336235646635326664326633616662383039386139616266
+61306630373838333234613566386431633534653961633234653364326437356233343965666465
+65326266656665633331356665363435343438613134343339393762373762643530376363343930
+35333735386331343530343239393864323838633364363338373734323434393736333837373363
+38383464303434316436343764373934643162616237333930383239353862366532316263303461
+66333031323563626461363134656636393734323531343163373736353965323865613963646332
+32653363336366643261323063323662326239346135316664393366623532333865343461666532
+34343761636135363035313338353934653533366165633361653738333836336630383538336264
+61633538623663313136363636393332616335626137326332613131363934373235306662356163
+65643334376634626665316136393236313437376233333963316134613861623035666132386136
+63363062653235663136383665356661306538373566313136336564356563326138656635353466
+31646333373334623931353037663863636366386530383435623139336630353261633339323961
+65646332623336616536343063643666646634326462366131613930653538613433373230326633
+38353733656561353938306235303231623438396366356235666131323366633061313361656533
+38646331336636303138623962646464363062313462366664653466326335393437333336366133
+37383462303635316661343935353762666633366334343430326562663434313239373235356235
+32303962653437366363363739646263663264376665353362383033383466336435303736313731
+35646361306535373532393038383030336634353737343534663461393830346464386138623139
+61623664626164386630623633363237643161656434343465633530653836373439376339313831
+39343739336461333535663264626230393737306137653864323734626639313133626132626436
+66616465386333626332663064396137666561663162383337333634303037366234633632623538
+36356464323333613861383432356263636438316133333531393331323262316438343633643333
+39363130376562373163663633363363306133643161313063303165643934633266613330616130
+6633313739623562656533376639346132333338373030303561

linode.cfg

@@ -1,6 +1,6 @@
 [defaults]
 inventory = linodehosts
-remote_user = root
+remote_user = charles
 private_key_file = ~/.ssh/id_rsa
 host_key_checking = False
 vault_password_file = .vault_secret

linodehosts

@@ -1,10 +1,13 @@
 [servers:children]
 bear
-bespin
 dorky
+dracaena
 
 [bear]
 linode_bear ansible_host=300.300.300.300 ansible_port=22 ansible_python_interpreter=/usr/bin/python3
 
 [dorky]
 linode_dorky ansible_host=400.400.400.400 ansible_port=22 ansible_python_interpreter=/usr/bin/python3
+
+[dracaena]
+linode_dracaena ansible_host=500.500.500.500 ansible_port=22 ansible_python_interpreter=/usr/bin/python3

roles/firewall/.gitignore

@@ -0,0 +1,3 @@
+*.retry
+*/__pycache__
+*.pyc

roles/firewall/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Jeff Geerling
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

roles/firewall/README.md

@@ -0,0 +1,4 @@
+# Firewall Ansible Role
+
+Source: <https://github.com/geerlingguy/ansible-role-firewall>
+

roles/firewall/defaults/main.yml

@@ -0,0 +1,22 @@
+---
+firewall_state: started
+firewall_enabled_at_boot: true
+
+firewall_flush_rules_and_chains: true
+
+firewall_allowed_tcp_ports:
+  - "22"
+  - "80"
+  - "443"
+
+firewall_allowed_udp_ports: []
+firewall_forwarded_tcp_ports: []
+firewall_forwarded_udp_ports: []
+firewall_additional_rules: []
+firewall_enable_ipv6: true
+firewall_ip6_additional_rules: []
+firewall_log_dropped_packets: true
+
+# Set to true to ensure other firewall management software is disabled.
+firewall_disable_firewalld: true
+firewall_disable_ufw: true

roles/firewall/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart firewall
+  service: name=firewall state=restarted

roles/firewall/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+- name: Ensure iptables is present.
+  package: name=iptables state=present
+
+- name: Flush iptables the first time playbook runs.
+  command: >
+    iptables -F
+    creates=/etc/firewall.bash
+
+- name: Copy firewall script into place.
+  template:
+    src: firewall.bash.j2
+    dest: /etc/firewall.bash
+    owner: root
+    group: root
+    mode: 0744
+  notify: restart firewall
+
+- name: Copy firewall init script into place.
+  template:
+    src: firewall.init.j2
+    dest: /etc/init.d/firewall
+    owner: root
+    group: root
+    mode: 0755
+  when: "ansible_service_mgr != 'systemd'"
+
+- name: Copy firewall systemd unit file into place (for systemd systems).
+  template:
+    src: firewall.unit.j2
+    dest: /etc/systemd/system/firewall.service
+    owner: root
+    group: root
+    mode: 0644
+  when: "ansible_service_mgr == 'systemd'"
+
+- name: Configure the firewall service.
+  service:
+    name: firewall
+    state: "restarted"
+    #state: "{{ firewall_state }}"
+    enabled: "{{ firewall_enabled_at_boot }}"
+
+- name: Stop the docker service.
+  service:
+    name: docker
+    state: stopped
+
+- name: Start the docker service.
+  service:
+    name: docker
+    state: started

roles/firewall/templates/firewall.bash.j2

@@ -0,0 +1,138 @@
+#!/bin/bash
+# iptables firewall.
+#
+# This file should be located at /etc/firewall.bash, and is meant to work with
+# the `geerlingguy.firewall` Ansible role.
+#
+# Common port reference:
+#   22: SSH
+#   25: SMTP
+#   80: HTTP
+#   123: NTP
+#   443: HTTPS
+#   2222: SSH alternate
+#   8080: HTTP alternate
+#
+# @author Jeff Geerling
+
+# No spoofing.
+if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
+then
+for filter in /proc/sys/net/ipv4/conf/*/rp_filter
+do
+echo 1 > $filter
+done
+fi
+
+# Set the default rules.
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
+
+{% if firewall_flush_rules_and_chains %}
+# Remove all rules and chains.
+iptables -t nat -F
+iptables -t mangle -F
+iptables -F
+iptables -X
+{% endif %}
+
+# Accept traffic from loopback interface (localhost).
+iptables -A INPUT -i lo -j ACCEPT
+
+# Forwarded ports.
+{# Add a rule for each forwarded port #}
+{% for forwarded_port in firewall_forwarded_tcp_ports %}
+iptables -t nat -I PREROUTING -p tcp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
+iptables -t nat -I OUTPUT -p tcp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
+{% endfor %}
+{% for forwarded_port in firewall_forwarded_udp_ports %}
+iptables -t nat -I PREROUTING -p udp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
+iptables -t nat -I OUTPUT -p udp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
+{% endfor %}
+
+# Open ports.
+{# Add a rule for each open port #}
+{% for port in firewall_allowed_tcp_ports %}
+iptables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% for port in firewall_allowed_udp_ports %}
+iptables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# Accept icmp ping requests.
+iptables -A INPUT -p icmp -j ACCEPT
+
+# Allow NTP traffic for time synchronization.
+iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
+iptables -A INPUT -p udp --sport 123 -j ACCEPT
+
+# Additional custom rules.
+{% for rule in firewall_additional_rules %}
+{{ rule }}
+{% endfor %}
+
+# Allow established connections:
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Log EVERYTHING (ONLY for Debug).
+# iptables -A INPUT -j LOG
+
+{% if firewall_log_dropped_packets %}
+# Log other incoming requests (all of which are dropped) at 15/minute max.
+iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
+{% endif %}
+
+# Drop all other traffic.
+iptables -A INPUT -j DROP
+
+{% if firewall_enable_ipv6 %}
+# Configure IPv6 if ip6tables is present.
+if [ -x "$(which ip6tables 2>/dev/null)" ]; then
+
+{% if firewall_flush_rules_and_chains %}
+  # Remove all rules and chains.
+  ip6tables -F
+  ip6tables -X
+{% endif %}
+
+  # Accept traffic from loopback interface (localhost).
+  ip6tables -A INPUT -i lo -j ACCEPT
+
+  # Open ports.
+{# Add a rule for each open port #}
+{% for port in firewall_allowed_tcp_ports %}
+  ip6tables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% for port in firewall_allowed_udp_ports %}
+  ip6tables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+  # Accept icmp ping requests.
+  ip6tables -A INPUT -p icmpv6 -j ACCEPT
+
+  # Allow NTP traffic for time synchronization.
+  ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT
+  ip6tables -A INPUT -p udp --sport 123 -j ACCEPT
+
+  # Additional custom rules.
+{% for rule in firewall_ip6_additional_rules %}
+  {{ rule }}
+{% endfor %}
+
+  # Allow established connections:
+  ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+  # Log EVERYTHING (ONLY for Debug).
+  # ip6tables -A INPUT -j LOG
+
+{% if firewall_log_dropped_packets %}
+  # Log other incoming requests (all of which are dropped) at 15/minute max.
+  ip6tables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
+{% endif %}
+
+  # Drop all other traffic.
+  ip6tables -A INPUT -j DROP
+
+fi
+{% endif %}

roles/firewall/templates/firewall.init.j2

@@ -0,0 +1,52 @@
+#! /bin/sh
+# /etc/init.d/firewall
+#
+# Firewall init script, to be used with /etc/firewall.bash by Jeff Geerling.
+#
+# @author Jeff Geerling
+
+### BEGIN INIT INFO
+# Provides:          firewall
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start firewall at boot time.
+# Description:       Enable the firewall.
+### END INIT INFO
+
+# Carry out specific functions when asked to by the system
+case "$1" in
+  start)
+    echo "Starting firewall."
+    /etc/firewall.bash
+    ;;
+  stop)
+    echo "Stopping firewall."
+    iptables -F
+    if [ -x "$(which ip6tables 2>/dev/null)" ]; then
+        ip6tables -F
+    fi
+    ;;
+  restart)
+    echo "Restarting firewall."
+    /etc/firewall.bash
+    ;;
+  status)
+    echo -e "`iptables -L -n`"
+    EXIT=4 # program or service status is unknown
+    NUMBER_OF_RULES=$(iptables-save | grep '^\-' | wc -l)
+    if [ 0 -eq $NUMBER_OF_RULES ]; then
+        EXIT=3 # program is not running
+    else
+        EXIT=0 # program is running or service is OK
+    fi
+    exit $EXIT
+    ;;
+  *)
+    echo "Usage: /etc/init.d/firewall {start|stop|status|restart}"
+    exit 1
+    ;;
+esac
+
+exit 0

roles/firewall/templates/firewall.unit.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=Firewall
+After=syslog.target network.target
+
+[Service]
+Type=oneshot
+ExecStart=/etc/firewall.bash
+ExecStop=/sbin/iptables -F
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

roles/sshkeys/defaults/main.yml

@@ -7,3 +7,4 @@ username: "{{ nonroot_user }}"
 # link it with this email.
 ssh_key_email: ""
 
+ssh_port: 22

roles/sshkeys/files/config

@@ -0,0 +1,2 @@
+Host *
+    StrictHostKeyChecking accept-new

roles/sshkeys/handlers/main.yml

@@ -0,0 +1,6 @@
+
+---
+- name: restart ssh
+  service:
+    name: "ssh"
+    state: "restarted"

roles/sshkeys/tasks/main.yml

@@ -12,6 +12,7 @@
     path: /root/.ssh
     state: directory
   tags:
+    - ssh
     - root-ssh
 
 - name: Check if a root user SSH key already exists
@@ -20,6 +21,7 @@
     path: "/root/.ssh/id_rsa"
   register: root_key_check
   tags:
+    - ssh
     - root-ssh
 
 - name: "Generate SSH keys for root user ({{ ssh_key_email }})"
@@ -28,6 +30,7 @@
   when:
     - "not root_key_check.stat.exists"
   tags:
+    - ssh
     - root-ssh
 
 - name: Set permissions on root .ssh directory
@@ -40,22 +43,7 @@
   when:
     - "not root_key_check.stat.exists"
   tags:
-    - root-ssh
-
-
-
-###############################
-# root: copy authorized keys
-
-
-- name: Copy (overwrite) the authorized keys file into the root .ssh directory
-  become: yes
-  copy:
-    src: authorized_keys
-    dest: /root/.ssh/authorized_keys
-    mode: 0600
-    force: yes
-  tags:
+    - ssh
     - root-ssh
 
 
@@ -72,6 +60,7 @@
     owner: "{{ username }}"
     group: "{{ username }}"
   tags:
+    - ssh
     - nonroot-ssh
 
 - name: Check if a nonroot user SSH key already exists
@@ -81,6 +70,7 @@
     path: "/home/{{ username }}/.ssh/id_rsa"
   register: nonroot_key_check
   tags:
+    - ssh
     - nonroot-ssh
 
 - name: "Generate SSH keys for nonroot user {{ username }} ({{ ssh_key_email }})"
@@ -90,6 +80,7 @@
   when:
     - "not nonroot_key_check.stat.exists"
   tags:
+    - ssh
     - nonroot-ssh
 
 - name: Set permissions on nonroot .ssh directory
@@ -103,6 +94,7 @@
     owner: "{{ username }}"
     group: "{{ username }}"
   tags:
+    - ssh
     - nonroot-ssh
 
 
@@ -121,15 +113,74 @@
     owner: "{{ username }}"
     group: "{{ username }}"
   tags:
+    - ssh
     - nonroot-ssh
 
 
+
+
 ##################################
-# nonroot: automatically accept new keys
+# nonroot: copy ssh configuration
 
-- name: Automatically accept new SSH keys
+- name: Copy the ssh configuration to the nonroot user .ssh directory
   become: yes
   become_user: "{{ username }}"
-  command: "echo 'StrictHostKeyChecking=accept-new' > ~/.ssh/config"
+  copy:
+    src: config
+    dest: "/home/{{ username }}/.ssh/config"
+    mode: 0600
+    force: yes
+    owner: "{{ username }}"
+    group: "{{ username }}"
   tags:
+    - ssh
     - nonroot-ssh
+
+
+
+##################################
+# system ssh configuration
+
+- name: Ensure SSH daemon is running.
+  service:
+    name: "ssh"
+    state: "started"
+
+- name: Update SSH configuration to be more secure.
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+    validate: 'sshd -T -f %s'
+    mode: 0644
+  with_items:
+    - regexp: "^PasswordAuthentication"
+      line: "PasswordAuthentication no"
+    - regexp: "^PermitRootLogin"
+      line: "PermitRootLogin no"
+    - regexp: "^Port"
+      line: "Port {{ ssh_port }}"
+    - regexp: "^UseDNS"
+      line: "UseDNS no"
+    - regexp: "^PermitEmptyPasswords"
+      line: "PermitEmptyPasswords no"
+    - regexp: "^ChallengeResponseAuthentication"
+      line: "ChallengeResponseAuthentication no"
+    - regexp: "^GSSAPIAuthentication"
+      line: "GSSAPIAuthentication no"
+    - regexp: "^X11Forwarding"
+      line: "X11Forwarding no"
+  notify: restart ssh
+  tags:
+    - ssh
+    - root-ssh
+
+
+## 
+## - name: Automatically accept new SSH keys
+##   become: yes
+##   become_user: "{{ username }}"
+##   command: "echo 'StrictHostKeyChecking=accept-new' > ~/.ssh/config"
+##   tags:
+##     - nonroot-ssh

roles/vim/tasks/main.yml

@@ -82,15 +82,3 @@
     mode: 0755
 
 
-############################
-# install solarized color scheme
-
-- name: Download solarized color scheme to ~/.vim/colors
-  become: yes
-  become_user: "{{ username }}"
-  get_url:
-    url: "https://raw.githubusercontent.com/altercation/vim-colors-solarized/master/colors/solarized.vim"
-    dest: "/home/{{ username }}/.vim/colors/solarized.vim"
-    mode: 0755
-
-