source: main/waeup-ansible/bootstrap.yml @ 17497

Last change on this file since 17497 was 16987, checked in by uli, 2 years ago

Update SSH config to current infosec state.

File size: 1.9 KB
RevLine 
[13839]1---
2# This ansible-playbook prepares fresh-from-hetzner
3# servers for work with ansible.
4#
[14325]5# It should be played as first thing after getting your hands over new
6# hardware
[13839]7#
[14325]8# The documentation for this playbook is in `README.rst`.  Please read
9# it! Do not run this playbook without having read the README.
[13839]10#
[15915]11- hosts: yet_untouched
[14325]12  become: yes
[13842]13  vars:
[14325]14    # Enable root access via SSH? Set to false not before user
15    # accounts are active.
[15915]16    permit_ssh_root: false
[15389]17    # Allow admin users below to become root w/o entering password?
18    permit_become_root_no_password: true
[16987]19    create_admin_user: false
[14325]20    # create hashed passwords like this:
21    #      $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
[16987]22    admin_users: {}
[13849]23
[16987]24        #    uli:
25        #         hashed_pw: "$6$iuoXy2wO3elWM6d2$NR/ayKF58q0Bm0BdsR.g.Nt5xYzD0s0t17ZjrYaRpY7nkRekjgHTnqw849pK9FdynmNZAioW6oQBQx3BB5kcd0"
26
[14325]27  roles:
28  - openssh
29
30  handlers:
31  - name: "Restart sshd"
32    service:
33      name="ssh"
34      enabled=yes
35      state=restarted
36
[13839]37  tasks:
[14325]38  - name: Create admin users
[16987]39    when: create_admin_users
[14325]40    user:
41      name: "{{ item.key }}"
42      shell: /bin/bash
43      groups: sudo
44      password: "{{ item.value.hashed_pw }}"
45      update_password: on_create
46      state: present
47    with_dict: "{{ admin_users }}"
[13842]48
[14325]49  - name: Disable SSH root access
50    # make sure this is not run before you can log in otherwise!
51    lineinfile:
52      dest=/etc/ssh/sshd_config
53      backrefs=yes
54      line='PermitRootLogin no'
55      regexp='^PermitRootLogin yes'
56      state=present
57    notify: "restart sshd"
58    when: not permit_ssh_root
[16987]59
60  - name: Disable SSH root access
61    # make sure this is not run before you can log in otherwise!
62    lineinfile:
63      dest=/etc/ssh/sshd_config
64      line="AuthenticationMethods publickey"
65      state=present
66    notify: "restart sshd"
67    when: not permit_ssh_root
Note: See TracBrowser for help on using the repository browser.