Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # provision_server.yaml
- # Author: Joel Hans, for SSD Nodes
- #
- # This script aims to accomplish a few simple tasks:
- # * Create a new user with `sudo` access
- # * Enable SSH key-based authentication
- # * Harden SSH with some simple-but-logical options
- # * Install a few packages for convenience
- #
- ---
- - hosts: ssdnodes
- remote_user: root
- vars_prompt:
- - name: "user_name"
- prompt: "Enter a name for the new user"
- private: no
- confirm: yes
- - name: "user_password"
- prompt: "Enter a password for the new user"
- private: yes
- encrypt: "sha512_crypt"
- confirm: yes
- salt_size: 7
- tasks:
- - name: Check to make sure we have a 'wheel' group
- group:
- name: wheel
- state: present
- - name: Enabling su/sudo access for wheel group
- lineinfile:
- dest: /etc/pam.d/su
- state: present
- regexp: '^#?auth required pam_wheel.so'
- line: 'auth required pam_wheel.so'
- when: ansible_os_family == "Debian"
- - name: Install the 'sudo' package
- package:
- name: sudo
- state: latest
- - name: Create the non-root user
- user:
- name: "{{ user_name }}"
- password: "{{ user_password }}"
- shell: "/bin/bash"
- groups: "wheel"
- - name: Add local public key for key-based SSH authentication
- authorized_key:
- user: "{{ user_name }}"
- key: "{{ item }}"
- with_file:
- - ~/.ssh/id_rsa.pub
- - name: Harden sshd configuration
- lineinfile:
- dest: /etc/ssh/sshd
- regexp: "{{ item.regexp }}"
- line: "{{ item.line }}"
- with_items:
- - { regexp: "^#?PermitRootLogin", line: "PermitRootLogin no" }
- - { regexp: "^^#?PasswordAuthentication", line: "PasswordAuthentication no" }
- - { regexp: "^#?AllowAgentForwarding", line: "AllowAgentForwarding no" }
- - { regexp: "^#?AllowTcpForwarding", line: "AllowTcpForwarding no" }
- - { regexp: "^#?MaxAuthTries", line: "MaxAuthTries 2" }
- - { regexp: "^#?MaxSessions", line: "MaxSessions 2" }
- - { regexp: "^#?TCPKeepAlive", line: "TCPKeepAlive no" }
- - { regexp: "^#?UseDNS", line: "UseDNS no" }
- - { regexp: "^#?AllowAgentForwarding", line: "AllowAgentForwarding no" }
- - name: Restart sshd
- systemd:
- state: restarted
- daemon_reload: yes
- name: sshd
- - name: Install a few more packages for the sake of convenience
- package: name={{item}} state=installed
- with_items:
- - nano
- - vim
- - htop
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement