source: main/waeup-ansible/bootstrap.yml @ 13850

Last change on this file since 13850 was 13850, checked in by uli, 9 years ago

Add missing sshd_config pieces.

We set required SSH ciphers/MACs/key algos according to "Applied
Crypto Hardening" from bettercrypto.org, state 2016-04-21.
File size: 3.1 KB
RevLine 
[13839]1---
2# This ansible-playbook prepares fresh-from-hetzner
3# servers for work with ansible.
4#
5# What it does:
6#   secures sshd (according to bettercrypto.org)
7#   adds accounts uli/henrik/deploy
8#   disables root access
9#
10# This playbook should be executed as first thing
11# after getting your hands over new hardware
12#
13# It will normally be run with ``ask-pass``
14#
15- hosts: yet-untouched
[13842]16  vars:
17    deploy_user: 'deploy'
18    deploy_public_key: "{{ lookup('file', 'files/id-deploy.pub') }}"
[13849]19
20  handlers:
21    - name: "restart sshd"
22      service:
23        name="ssh"
24        enabled=yes
25        state=restarted
26
[13839]27  tasks:
[13842]28    - name: "bootstrap | create 'deploy' user"
29      user:
30        name="{{ deploy_user }}"
31        append=yes
32        uid=2222
33
34    - name: "bootstrap | update authorized key of 'deploy'"
35      authorized_key:
36        user="{{ deploy_user }}"
37        key="{{ deploy_public_key }}"
38
[13844]39    - name: "bootstrap | grant sudoers perms to 'deploy'"
40      lineinfile:
[13847]41        dest=/etc/sudoers
42        insertafter="^root"
43        line="{{ deploy_user }}  ALL=(ALL) NOPASSWD{{ ':' }} ALL"
44        state=present
[13844]45
[13850]46    - name: "bootstrap | sshd_config - disable dsa keys"
[13845]47      lineinfile:
48        dest=/etc/ssh/sshd_config
49        backrefs=yes
50        line='# HostKey /etc/ssh/ssh_host_dsa_key'
51        regexp='^HostKey /etc/ssh/ssh_host_dsa_key'
52        state=present
[13849]53      notify: "restart sshd"
[13845]54
[13850]55    - name: "bootstrap | sshd_config - disable ecdsa keys"
[13845]56      lineinfile:
57        dest=/etc/ssh/sshd_config
58        backrefs=yes
59        line='# HostKey /etc/ssh/ssh_host_ecdsa_key'
60        regexp='^HostKey /etc/ssh/ssh_host_ecdsa_key'
61        state=present
[13849]62      notify: "restart sshd"
[13845]63
[13850]64    - name: "bootstrap | sshd_config - set key bits to 4096"
[13845]65      lineinfile:
66        dest=/etc/ssh/sshd_config
67        backrefs=yes
68        line='ServerKeyBits 4096'
69        regexp='^ServerKeyBits 1024'
70        state=present
[13849]71      notify: "restart sshd"
[13845]72
[13850]73    - name: "bootstrap | sshd_config - set secure ciphers from bettercrypto.org"
74      lineinfile:
75        dest=/etc/ssh/sshd_config
76        line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'
77        state=present
78      notify: "restart sshd"
79
80    - name: "bootstrap | sshd_config - set secure MACs from bettercrypto.org"
81      lineinfile:
82        dest=/etc/ssh/sshd_config
83        line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
84        state=present
85      notify: "restart sshd"
86
87    - name: "bootstrap | sshd_config - set secure kex algos from bettercrypto.org"
88      lineinfile:
89        dest=/etc/ssh/sshd_config
90        line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
91        state=present
92      notify: "restart sshd"
93
[13848]94    - name: "bootstrap | remove short moduli (<2048 bits) from /etc/ssh/moduli"
95      replace:
96        dest=/etc/ssh/moduli
97        regexp='^([0-9]+\s){4}(1[0-9]{3}\s)'
[13849]98      notify: "restart sshd"
Note: See TracBrowser for help on using the repository browser.