---
# This ansible-playbook prepares fresh-from-hetzner
# servers for work with ansible.
#
# What it does:
#   secures sshd (according to bettercrypto.org)
#   adds accounts uli/henrik/deploy
#   disables root access
#
# This playbook should be executed as first thing
# after getting your hands over new hardware
#
# It will normally be run with ``ask-pass``
#
- hosts: yet-untouched
  vars:
    deploy_user: 'deploy'
    deploy_public_key: "{{ lookup('file', 'files/id-deploy.pub') }}"

  handlers:
    - name: "restart sshd"
      service:
        name="ssh"
        enabled=yes
        state=restarted

  tasks:
    - name: "bootstrap | create 'deploy' user"
      user:
        name="{{ deploy_user }}"
        append=yes
        uid=2222

    - name: "bootstrap | update authorized key of 'deploy'"
      authorized_key:
        user="{{ deploy_user }}"
        key="{{ deploy_public_key }}"

    - name: "bootstrap | grant sudoers perms to 'deploy'"
      lineinfile:
        dest=/etc/sudoers
        insertafter="^root"
        line="{{ deploy_user }}  ALL=(ALL) NOPASSWD{{ ':' }} ALL"
        state=present

    - name: "bootstrap | sshd_config - disable weak keys"
      lineinfile:
        dest=/etc/ssh/sshd_config
        backrefs=yes
        line={{ item.line }}
        regexp={{ item.regexp }}
      with_items:
        - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key', line: '# HostKey /etc/ssh/ssh_host_dsa_key' }
        - { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key', line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
      notify: "restart sshd"

    - name: "bootstrap | sshd_config - set key bits to 4096"
      lineinfile:
        dest=/etc/ssh/sshd_config
        backrefs=yes
        line='ServerKeyBits 4096'
        regexp='^ServerKeyBits 1024'
        state=present
      notify: "restart sshd"

    - name: "bootstrap | sshd_config - set secure ciphers from bettercrypto.org"
      lineinfile:
        dest=/etc/ssh/sshd_config
        line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'
        state=present
      notify: "restart sshd"

    - name: "bootstrap | sshd_config - set secure MACs from bettercrypto.org"
      lineinfile:
        dest=/etc/ssh/sshd_config
        line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
        state=present
      notify: "restart sshd"

    - name: "bootstrap | sshd_config - set secure kex algos from bettercrypto.org"
      lineinfile:
        dest=/etc/ssh/sshd_config
        line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
        state=present
      notify: "restart sshd"

    - name: "bootstrap | remove short moduli (<2048 bits) from /etc/ssh/moduli"
      replace:
        dest=/etc/ssh/moduli
        regexp='^([0-9]+\s){4}(1[0-9]{3}\s)'
      notify: "restart sshd"