|
| 1 | +--- |
| 2 | +- name: Setup the Minimal version of the setup script |
| 3 | + hosts: localhost |
| 4 | + #gather_facts: no |
| 5 | + become: true |
| 6 | + vars_files: |
| 7 | + - vars/default.yml |
| 8 | + |
| 9 | + pre_tasks: |
| 10 | + - name: Install python for Ansible to work. |
| 11 | + raw: test -e /usr/bin/python || (apt-get -y update && apt install -y python-minimal) |
| 12 | + changed_when: false |
| 13 | + |
| 14 | + tasks: |
| 15 | + #- name: Insert UFW Docker fix at the end of after.rules file |
| 16 | + # lineinfile: |
| 17 | + # path: /etc/ufw/after.rules |
| 18 | + # line: last |
| 19 | + - name: apt update and upgrade |
| 20 | + apt: |
| 21 | + update_cache: yes |
| 22 | + upgrade: yes |
| 23 | + |
| 24 | + - name: install list of packages from vars |
| 25 | + apt: name={{ sys_packages }} state=latest |
| 26 | + |
| 27 | +# User + Key Setup |
| 28 | +# - name: Create a new regular user with sudo privileges |
| 29 | +# user: |
| 30 | +# name: "{{ create_user }}" |
| 31 | +# state: present |
| 32 | +# password: "{{ 'password' | password_hash('sha512') }}" |
| 33 | +# groups: sudo |
| 34 | +# append: true |
| 35 | +# create_home: true |
| 36 | +# shell: /bin/bash |
| 37 | +# update_password: on_create |
| 38 | +# notify: force change password |
| 39 | + |
| 40 | +# - name: force change password |
| 41 | +# command: "chage -d 0 {{ create_user }}" |
| 42 | + |
| 43 | +# authorized_key: |
| 44 | +# user: "{{ create_user }}" |
| 45 | +# state: present |
| 46 | +# key: "{{ copy_local_key }}" |
| 47 | + |
| 48 | + - name: enable ufw |
| 49 | + ufw: |
| 50 | + state: enabled |
| 51 | + |
| 52 | + - name: allow ssh |
| 53 | + ufw: |
| 54 | + rule: allow |
| 55 | + name: OpenSSH |
| 56 | + |
| 57 | + - name: deny all other incoming traffic by default |
| 58 | + ufw: |
| 59 | + policy: deny |
| 60 | + direction: incoming |
| 61 | + |
| 62 | + - name: Disable password authentication for root |
| 63 | + lineinfile: |
| 64 | + path: /etc/ssh/sshd_config |
| 65 | + state: present |
| 66 | + regexp: '^#?PermitRootLogin' |
| 67 | + line: 'PermitRootLogin prohibit-password' |
| 68 | + |
| 69 | + - name: Disallow SSH password authentication |
| 70 | + lineinfile: |
| 71 | + path: /etc/ssh/sshd_config |
| 72 | + state: present |
| 73 | + regexp: '^#?PasswordAuthentication' |
| 74 | + line: 'PasswordAuthentication no' |
| 75 | + |
| 76 | + - name: Only allow certain users |
| 77 | + lineinfile: |
| 78 | + path: /etc/ssh/sshd_config |
| 79 | + state: present |
| 80 | + insertafter: EOF |
| 81 | + line: 'AllowUsers expi-admin@*' |
| 82 | + |
| 83 | + - name: Secure Shared Memory |
| 84 | + lineinfile: |
| 85 | + path: /etc/fstab |
| 86 | + state: present |
| 87 | + insertafter: EOF |
| 88 | + line: 'none /run/shm tmpfs defaults,ro 0 0' |
| 89 | + |
| 90 | + - name: Copy issue.net for SSH MOTD |
| 91 | + copy: |
| 92 | + src: ./overlay/etc/issue.net |
| 93 | + dest: /etc/issue.net |
| 94 | + owner: root |
| 95 | + group: root |
| 96 | + mode: '0644' |
| 97 | + |
| 98 | + - name: Enable Issue.net Banner in SSH Config |
| 99 | + lineinfile: |
| 100 | + path: /etc/ssh/sshd_config |
| 101 | + state: present |
| 102 | + regexp: '^#?Banner' |
| 103 | + line: 'Banner /etc/issue.net' |
| 104 | + |
| 105 | + - name: restart ssh service |
| 106 | + service: |
| 107 | + name: ssh |
| 108 | + state: restarted |
0 commit comments