Changeset 14325
- Timestamp:
- 8 Dec 2016, 03:10:08 (8 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/waeup-ansible/bootstrap.yml
r13994 r14325 3 3 # servers for work with ansible. 4 4 # 5 # What it does: 6 # secures sshd (according to bettercrypto.org) 7 # adds accounts uli/henrik/deploy 8 # disables root access 5 # It should be played as first thing after getting your hands over new 6 # hardware 9 7 # 10 # This playbook should be executed as first thing 11 # after getting your hands over new hardware 12 # 13 # It will normally be run with ``ask-pass`` 8 # The documentation for this playbook is in `README.rst`. Please read 9 # it! Do not run this playbook without having read the README. 14 10 # 15 11 - hosts: yet-untouched 12 become: yes 16 13 vars: 17 deploy_user: 'deploy' 18 deploy_public_key: "{{ lookup('file', 'files/id-deploy.pub') }}" 14 # Enable root access via SSH? Set to false not before user 15 # accounts are active. 16 permit_ssh_root: true 17 # create hashed passwords like this: 18 # $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw 19 admin_users: 20 uli: 21 hashed_pw: "$6$W3DjhWuk/dDzw2F$ozaXblaUYnEX6NiS9jg.NYFelyPIV8ySxDJGNwbPpTd.oAnmA.754pntuGT1XP.cAcpkCI5b9zWSgOQ09f5HG1" 22 23 roles: 24 - openssh 25 26 handlers: 27 - name: "Restart sshd" 28 service: 29 name="ssh" 30 enabled=yes 31 state=restarted 19 32 20 33 tasks: 21 - name: "bootstrap | update authorized key of 'deploy'" 22 authorized_key: 23 user="{{ deploy_user }}" 24 key="{{ deploy_public_key }}" 34 - name: Create admin users 35 user: 36 name: "{{ item.key }}" 37 shell: /bin/bash 38 groups: sudo 39 password: "{{ item.value.hashed_pw }}" 40 update_password: on_create 41 state: present 42 with_dict: "{{ admin_users }}" 25 43 26 - name: "bootstrap | grant sudoers perms to 'deploy'"27 lineinfile:28 dest=/etc/sudoers29 insertafter="^root"30 line="{{ deploy_user }} ALL=(ALL) NOPASSWD{{ ':' }} ALL"31 state=present32 33 roles:34 - openssh35 - core44 - name: Disable SSH root access 45 # make sure this is not run before you can log in otherwise! 46 lineinfile: 47 dest=/etc/ssh/sshd_config 48 backrefs=yes 49 line='PermitRootLogin no' 50 regexp='^PermitRootLogin yes' 51 state=present 52 notify: "restart sshd" 53 when: not permit_ssh_root
Note: See TracChangeset for help on using the changeset viewer.