Merge "Support for authorized keys"

diff --git a/playbooks/monitoring.yml b/playbooks/monitoring.yml
index 48e6df6..e60942e 100644 (file)
--- a/playbooks/monitoring.yml
+++ b/playbooks/monitoring.yml
@@ -22,3 +22,13 @@
   become_user: root
   roles:
       - monitoring
+
+- name: Harden services
+  hosts: [ base ]
+  become: yes
+  become_method: sudo
+  become_user: root
+  tasks:
+      - include_role:
+          name: monitoring
+          tasks_from: harden_services.yml

diff --git a/roles/monitoring/tasks/harden_services.yml b/roles/monitoring/tasks/harden_services.yml
new file mode 100644 (file)
index 0000000..243538e
--- /dev/null
+++ b/roles/monitoring/tasks/harden_services.yml
@@ -0,0 +1,38 @@
+# Copyright 2019 Nokia
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+- name: Define services to be hardened
+  set_fact:
+      hardened_services: [ ntpd ]
+
+- name: Create hardening hooks
+  file:
+      path: "/etc/systemd/system/{{item}}.service.d"
+      state: directory
+      mode: '0755'
+  with_items: "{{hardened_services}}"
+
+- name: Create the monitoring template
+  template:
+      src: monitor.conf.j2
+      dest: "/etc/systemd/system/{{item}}.service.d/monitor.conf"
+      mode: '0640'
+  with_items: "{{hardened_services}}"
+
+- name: Start services
+  systemd:
+      state: started
+      enabled: yes
+      daemon_reload: yes
+      name: "{{item}}"
+  with_items: "{{hardened_services}}"