Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ---
- - hosts: all
- vars:
- UBUNTU_COMMON_ROOT_PASSWORD: 'xxxxx'
- UBUNTU_COMMON_DEPLOY_PASSWORD: 'xxxxx'
- UBUNTU_COMMON_LOGWATCH_EMAIL: user@example.com
- ubuntu_common_deploy_user_name: deploy
- ubuntu_common_deploy_public_keys:
- - ~/.ssh/id_rsa.pub
- ubuntu_common_required_packages:
- - ufw
- - fail2ban
- - unattended-upgrades
- - logwatch
- ubuntu_common_optional_packages:
- - mosh
- - vim
- ubuntu_common_ssh_port: 22
- ubuntu_common_mosh_from_port: 60000
- ubuntu_common_mosh_to_port: 60010
- tasks:
- - name: Change root password
- user: name=root password="{{ UBUNTU_COMMON_ROOT_PASSWORD }}"
- - name: Add deploy user
- user: name={{ ubuntu_common_deploy_user_name }} password="{{ UBUNTU_COMMON_DEPLOY_PASSWORD }}" shell=/bin/bash
- - name: Add authorized keys for deploy user
- authorized_key: user={{ ubuntu_common_deploy_user_name }} key="{{ lookup('file', item) }}"
- with_items: ubuntu_common_deploy_public_keys
- - name: Add deploy user to sudoers
- lineinfile: dest=/etc/sudoers
- regexp="{{ ubuntu_common_deploy_user_name }} ALL"
- line="{{ ubuntu_common_deploy_user_name }} ALL=(ALL) ALL"
- state=present
- - name: Update APT package cache
- apt: update_cache=yes cache_valid_time=3600
- - name: Upgrade APT to the latest packages
- apt: upgrade=safe
- - name: Install required packages
- apt: state=installed pkg={{ item }}
- with_items: ubuntu_common_required_packages
- - name: Install optional packages
- apt: state=installed pkg={{ item }}
- with_items: ubuntu_common_optional_packages
- - name: Adjust APT update intervals
- copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic
- - name: Setup ufw
- ufw: state=enabled policy=deny
- - name: Allow ssh traffic
- ufw: rule=allow port={{ ubuntu_common_ssh_port }} proto=tcp
- - name: Allow mosh traffic
- ufw: rule=allow proto=udp port={{ ubuntu_common_mosh_from_port }}:{{ ubuntu_common_mosh_to_port }}
- when: "'mosh' in ubuntu_common_optional_packages"
- - name: Set up Postfix to relay mail
- debconf: name=postfix
- question='{{ item.question }}'
- value='{{ item.value }}'
- vtype='{{ item.vtype }}'
- with_items:
- - { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' }
- - { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }
- - name: Email log summary daily
- lineinfile: dest=/etc/cron.daily/00logwatch
- regexp="^/usr/sbin/logwatch"
- line="/usr/sbin/logwatch --output mail --mailto {{ UBUNTU_COMMON_LOGWATCH_EMAIL }} --detail high"
- state=present create=yes
- - name: Change ssh port
- lineinfile: dest=/etc/ssh/sshd_config
- regexp="^Port\s"
- line="Port {{ ubuntu_common_ssh_port }}"
- state=present
- notify: Restart ssh
- - name: Disallow password authentication
- lineinfile: dest=/etc/ssh/sshd_config
- regexp="^PasswordAuthentication"
- line="PasswordAuthentication no"
- state=present
- notify: Restart ssh
- - name: Disallow root SSH access
- lineinfile: dest=/etc/ssh/sshd_config
- regexp="^PermitRootLogin"
- line="PermitRootLogin no"
- state=present
- notify: Restart ssh
- handlers:
- - name: Restart ssh
- service: name=ssh state=restarted
Add Comment
Please, Sign In to add comment