az
/
exam-laptop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
exam-laptop/playbook.yml

242 lines
7.1 KiB
YAML
Raw Blame History

---
- name: ensure safe environment for exams
hosts: localhost
vars:
- config_ufw: true
# to verify ufw configuration run:
# sudo ufw status verbose
tasks:
- name: link libreoffice to desktop
file:
src: /usr/share/applications/libreoffice-writer.desktop
dest: /home/pruefung/Schreibtisch/test-link.desktop
owner: pruefung
group: pruefung
state: link
- name: Install ufw
apt: package=ufw state=present
- name: Configure ufw defaults
ufw: direction={{ item.direction }} policy={{ item.policy }}
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'deny' }
environment:
PATH: /sbin:{{ ansible_env.PATH }}
# disable ipv6
- lineinfile:
path: /etc/default/ufw
state: present
regexp: '^IPV6'
line: 'IPV6=no'
- name: Enable ufw logging
ufw: logging=off
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Commenting a line.
replace:
path: /etc/ufw/before.rules
regexp: '(.*limit --limit*)'
replace: '#\1'
when: config_ufw
- name: Allow all access to tcp port 123
ufw:
rule: allow
port: '3142'
direction: '{{ item }}'
with_items:
- in
- out
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow SSH-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '22'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow https-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '443'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow apt-proxy-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '3142'
with_items:
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.1.3/32' }
- { direction: 'out', destination: '10.16.1.3/32' }
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow DNS-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '53'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow dns
ufw: rule={{ item.rule }} port={{ item.port }}
with_items:
- { rule: 'allow', port: '53'}
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: disable mounting of usb flash drives
file:
path: /media
owner: root
mode: '700'
- name: create user group pruefung
group:
name: "pruefung"
state: present
- name: create user student
ansible.builtin.user:
name: "pruefung"
password: "{{ 'morz' | password_hash('sha512') }}"
shell: /bin/bash
comment: Prüfungsbenutzer
group: pruefung
- name: create .config dir for created user
file:
path: "/home/pruefung/.config/"
state: directory
mode: "700"
owner: "pruefung"
group: "pruefung"
- name: Set timezone to Europe/Vienna
timezone:
name: Europe/Vienna
- name: copy template for libreoffice
copy:
src: files/Pruefung.ott
dest: /home/pruefung/Pruefung.ott
owner: ansible
group: ansible
mode: '0644'
- name: make sure libreoffice uses ower template. spacing, border, font,...
ansible.builtin.lineinfile:
path: /usr/share/applications/libreoffice-writer.desktop
regexp: 'Exec=libreoffice --writer %U'
line: Exec=libreoffice --writer %U -n /home/pruefung/Pruefung.ott
- name: purge some prior installed packages
apt:
name:
- task-kde-desktop
- task-german-kde-desktop
- task-german-desktop
- xdg-desktop-portal-kde
- xdg-desktop-portal-wlr
- akonadi-backend-sqlite
- thunderbird-l10n-de
- webext-privacy-badger
- webext-ublock-origin-firefox
- webext-ublock-origin-chromium
- vlc
- gimp
- inkscape
- flameshot
- bluefish
- nmap
- net-tools
- ghex
- thonny
- spyder
- mu-editor
- dia
- vym
- tree
- sqlite3
- kicad
- kicad-doc-de
- akonadi-backend-mysql
- akonadi-contacts-data
- akonadi-mime-data
- akonadi-server
- akregator
- aspell
- aspell-de
- dolphin
- firebird3.0-common
- gimp-data
- gwenview
- hyphen-en-us
- ingerman
- ispell
- kate
- kcalc
- kmail
- knotes
- korganizer
- wamerican
- dragonplayer
- juk
autoremove: yes
state: absent
- name: intall some prior installed packages
apt:
name:
- curl
state: latest
- name: Enable ufw
ufw: state=enabled
- name: start ufw service
service:
name: ufw
state: restarted
Reference in New Issue View Git Blame Copy Permalink