| 1 | --- |
|---|
| 2 | # This ansible-playbook prepares fresh-from-hetzner |
|---|
| 3 | # servers for work with ansible. |
|---|
| 4 | # |
|---|
| 5 | # What it does: |
|---|
| 6 | # secures sshd (according to bettercrypto.org) |
|---|
| 7 | # adds accounts uli/henrik/deploy |
|---|
| 8 | # disables root access |
|---|
| 9 | # |
|---|
| 10 | # This playbook should be executed as first thing |
|---|
| 11 | # after getting your hands over new hardware |
|---|
| 12 | # |
|---|
| 13 | # It will normally be run with ``ask-pass`` |
|---|
| 14 | # |
|---|
| 15 | - hosts: yet-untouched |
|---|
| 16 | vars: |
|---|
| 17 | deploy_user: 'deploy' |
|---|
| 18 | deploy_public_key: "{{ lookup('file', 'files/id-deploy.pub') }}" |
|---|
| 19 | |
|---|
| 20 | handlers: |
|---|
| 21 | - name: "restart sshd" |
|---|
| 22 | service: |
|---|
| 23 | name="ssh" |
|---|
| 24 | enabled=yes |
|---|
| 25 | state=restarted |
|---|
| 26 | |
|---|
| 27 | tasks: |
|---|
| 28 | - name: "bootstrap | create 'deploy' user" |
|---|
| 29 | user: |
|---|
| 30 | name="{{ deploy_user }}" |
|---|
| 31 | append=yes |
|---|
| 32 | uid=2222 |
|---|
| 33 | |
|---|
| 34 | - name: "bootstrap | update authorized key of 'deploy'" |
|---|
| 35 | authorized_key: |
|---|
| 36 | user="{{ deploy_user }}" |
|---|
| 37 | key="{{ deploy_public_key }}" |
|---|
| 38 | |
|---|
| 39 | - name: "bootstrap | grant sudoers perms to 'deploy'" |
|---|
| 40 | lineinfile: |
|---|
| 41 | dest=/etc/sudoers |
|---|
| 42 | insertafter="^root" |
|---|
| 43 | line="{{ deploy_user }} ALL=(ALL) NOPASSWD{{ ':' }} ALL" |
|---|
| 44 | state=present |
|---|
| 45 | |
|---|
| 46 | - name: "bootstrap | disable dsa keys in sshd_config" |
|---|
| 47 | lineinfile: |
|---|
| 48 | dest=/etc/ssh/sshd_config |
|---|
| 49 | backrefs=yes |
|---|
| 50 | line='# HostKey /etc/ssh/ssh_host_dsa_key' |
|---|
| 51 | regexp='^HostKey /etc/ssh/ssh_host_dsa_key' |
|---|
| 52 | state=present |
|---|
| 53 | notify: "restart sshd" |
|---|
| 54 | |
|---|
| 55 | - name: "bootstrap | disable ecdsa keys in sshd_config" |
|---|
| 56 | lineinfile: |
|---|
| 57 | dest=/etc/ssh/sshd_config |
|---|
| 58 | backrefs=yes |
|---|
| 59 | line='# HostKey /etc/ssh/ssh_host_ecdsa_key' |
|---|
| 60 | regexp='^HostKey /etc/ssh/ssh_host_ecdsa_key' |
|---|
| 61 | state=present |
|---|
| 62 | notify: "restart sshd" |
|---|
| 63 | |
|---|
| 64 | - name: "bootstrap | set key bits in sshd_config to 4096" |
|---|
| 65 | lineinfile: |
|---|
| 66 | dest=/etc/ssh/sshd_config |
|---|
| 67 | backrefs=yes |
|---|
| 68 | line='ServerKeyBits 4096' |
|---|
| 69 | regexp='^ServerKeyBits 1024' |
|---|
| 70 | state=present |
|---|
| 71 | notify: "restart sshd" |
|---|
| 72 | |
|---|
| 73 | - name: "bootstrap | remove short moduli (<2048 bits) from /etc/ssh/moduli" |
|---|
| 74 | replace: |
|---|
| 75 | dest=/etc/ssh/moduli |
|---|
| 76 | regexp='^([0-9]+\s){4}(1[0-9]{3}\s)' |
|---|
| 77 | notify: "restart sshd" |
|---|
