Changeset 13994 for main/waeup-ansible


Ignore:
Timestamp:
27 Jun 2016, 11:42:12 (8 years ago)
Author:
uli
Message:

Turn (some) tasks from playbook into roles.

Location:
main/waeup-ansible
Files:
9 added
1 edited

Legend:

Unmodified
Added
Removed

  • main/waeup-ansible/bootstrap.yml

    r13851 r13994  
    1818    deploy_public_key: "{{ lookup('file', 'files/id-deploy.pub') }}"
    1919
    20   handlers:
    21     - name: "restart sshd"
    22       service:
    23         name="ssh"
    24         enabled=yes
    25         state=restarted
    26 
    2720  tasks:
    28     - name: "bootstrap | create 'deploy' user"
    29       user:
    30         name="{{ deploy_user }}"
    31         append=yes
    32         uid=2222
    33 
    3421    - name: "bootstrap | update authorized key of 'deploy'"
    3522      authorized_key:
     
    4431        state=present
    4532
    46     - name: "bootstrap | sshd_config - disable weak keys"
    47       lineinfile:
    48         dest=/etc/ssh/sshd_config
    49         backrefs=yes
    50         line={{ item.line }}
    51         regexp={{ item.regexp }}
    52       with_items:
    53         - { regexp: '^HostKey /etc/ssh/ssh_host_dsa_key', line: '# HostKey /etc/ssh/ssh_host_dsa_key' }
    54         - { regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key', line: '# HostKey /etc/ssh/ssh_host_ecdsa_key' }
    55       notify: "restart sshd"
    56 
    57     - name: "bootstrap | sshd_config - set key bits to 4096"
    58       lineinfile:
    59         dest=/etc/ssh/sshd_config
    60         backrefs=yes
    61         line='ServerKeyBits 4096'
    62         regexp='^ServerKeyBits 1024'
    63         state=present
    64       notify: "restart sshd"
    65 
    66     - name: "bootstrap | sshd_config - set secure ciphers from bettercrypto.org"
    67       lineinfile:
    68         dest=/etc/ssh/sshd_config
    69         line='Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr'
    70         state=present
    71       notify: "restart sshd"
    72 
    73     - name: "bootstrap | sshd_config - set secure MACs from bettercrypto.org"
    74       lineinfile:
    75         dest=/etc/ssh/sshd_config
    76         line='MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
    77         state=present
    78       notify: "restart sshd"
    79 
    80     - name: "bootstrap | sshd_config - set secure kex algos from bettercrypto.org"
    81       lineinfile:
    82         dest=/etc/ssh/sshd_config
    83         line='KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
    84         state=present
    85       notify: "restart sshd"
    86 
    87     - name: "bootstrap | remove short moduli (<2048 bits) from /etc/ssh/moduli"
    88       replace:
    89         dest=/etc/ssh/moduli
    90         regexp='^([0-9]+\s){4}(1[0-9]{3}\s)'
    91       notify: "restart sshd"
     33  roles:
     34    - openssh
     35    - core
Note: See TracChangeset for help on using the changeset viewer.