Changeset 13994
- Timestamp:
- 27 Jun 2016, 11:42:12 (8 years ago)
- Location:
- main/waeup-ansible
- Files:
-
- 9 added
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/waeup-ansible/bootstrap.yml
r13851 r13994 18 18 deploy_public_key: "{{ lookup('file', 'files/id-deploy.pub') }}" 19 19 20 handlers:21 - name: "restart sshd"22 service:23 name="ssh"24 enabled=yes25 state=restarted26 27 20 tasks: 28 - name: "bootstrap | create 'deploy' user"29 user:30 name="{{ deploy_user }}"31 append=yes32 uid=222233 34 21 - name: "bootstrap | update authorized key of 'deploy'" 35 22 authorized_key: … … 44 31 state=present 45 32 46 - name: "bootstrap | sshd_config - disable weak keys" 47 lineinfile: 48 dest=/etc/ssh/sshd_config 49 backrefs=yes 50 line={{ item.line }} 51 regexp={{ item.regexp }} 52 with_items: 53 - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key', line: '# HostKey /etc/ssh/ssh_host_dsa_key' } 54 - { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key', line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' } 55 notify: "restart sshd" 56 57 - name: "bootstrap | sshd_config - set key bits to 4096" 58 lineinfile: 59 dest=/etc/ssh/sshd_config 60 backrefs=yes 61 line='ServerKeyBits 4096' 62 regexp='^ServerKeyBits 1024' 63 state=present 64 notify: "restart sshd" 65 66 - name: "bootstrap | sshd_config - set secure ciphers from bettercrypto.org" 67 lineinfile: 68 dest=/etc/ssh/sshd_config 69 line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr' 70 state=present 71 notify: "restart sshd" 72 73 - name: "bootstrap | sshd_config - set secure MACs from bettercrypto.org" 74 lineinfile: 75 dest=/etc/ssh/sshd_config 76 line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' 77 state=present 78 notify: "restart sshd" 79 80 - name: "bootstrap | sshd_config - set secure kex algos from bettercrypto.org" 81 lineinfile: 82 dest=/etc/ssh/sshd_config 83 line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' 84 state=present 85 notify: "restart sshd" 86 87 - name: "bootstrap | remove short moduli (<2048 bits) from /etc/ssh/moduli" 88 replace: 89 dest=/etc/ssh/moduli 90 regexp='^([0-9]+\s){4}(1[0-9]{3}\s)' 91 notify: "restart sshd" 33 roles: 34 - openssh 35 - core
Note: See TracChangeset for help on using the changeset viewer.