API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 18th, 2017
64
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.52 KB | None | 0 0
raw download clone embed print report
  1. #
  2. # provision_server.yaml
  3. # Author: Joel Hans, for SSD Nodes
  4. #
  5. # This script aims to accomplish a few simple tasks:
  6. # * Create a new user with `sudo` access
  7. # * Enable SSH key-based authentication
  8. # * Harden SSH with some simple-but-logical options
  9. # * Install a few packages for convenience
  10. #
  11.  
  12. ---
  13. - hosts: ssdnodes
  14. remote_user: root
  15.  
  16. vars_prompt:
  17.  
  18. - name: "user_name"
  19. prompt: "Enter a name for the new user"
  20. private: no
  21. confirm: yes
  22.  
  23. - name: "user_password"
  24. prompt: "Enter a password for the new user"
  25. private: yes
  26. encrypt: "sha512_crypt"
  27. confirm: yes
  28. salt_size: 7
  29.  
  30. tasks:
  31.  
  32. - name: Check to make sure we have a 'wheel' group
  33. group:
  34. name: wheel
  35. state: present
  36.  
  37. - name: Enabling su/sudo access for wheel group
  38. lineinfile:
  39. dest: /etc/pam.d/su
  40. state: present
  41. regexp: '^#?auth required pam_wheel.so'
  42. line: 'auth required pam_wheel.so'
  43. when: ansible_os_family == "Debian"
  44.  
  45. - name: Install the 'sudo' package
  46. package:
  47. name: sudo
  48. state: latest
  49.  
  50. - name: Create the non-root user
  51. user:
  52. name: "{{ user_name }}"
  53. password: "{{ user_password }}"
  54. shell: "/bin/bash"
  55. groups: "wheel"
  56.  
  57. - name: Add local public key for key-based SSH authentication
  58. authorized_key:
  59. user: "{{ user_name }}"
  60. key: "{{ item }}"
  61. with_file:
  62. - ~/.ssh/id_rsa.pub
  63.  
  64. - name: Harden sshd configuration
  65. lineinfile:
  66. dest: /etc/ssh/sshd
  67. regexp: "{{ item.regexp }}"
  68. line: "{{ item.line }}"
  69. with_items:
  70. - { regexp: "^#?PermitRootLogin", line: "PermitRootLogin no" }
  71. - { regexp: "^^#?PasswordAuthentication", line: "PasswordAuthentication no" }
  72. - { regexp: "^#?AllowAgentForwarding", line: "AllowAgentForwarding no" }
  73. - { regexp: "^#?AllowTcpForwarding", line: "AllowTcpForwarding no" }
  74. - { regexp: "^#?MaxAuthTries", line: "MaxAuthTries 2" }
  75. - { regexp: "^#?MaxSessions", line: "MaxSessions 2" }
  76. - { regexp: "^#?TCPKeepAlive", line: "TCPKeepAlive no" }
  77. - { regexp: "^#?UseDNS", line: "UseDNS no" }
  78. - { regexp: "^#?AllowAgentForwarding", line: "AllowAgentForwarding no" }
  79.  
  80. - name: Restart sshd
  81. systemd:
  82. state: restarted
  83. daemon_reload: yes
  84. name: sshd
  85.  
  86. - name: Install a few more packages for the sake of convenience
  87. package: name={{item}} state=installed
  88. with_items:
  89. - nano
  90. - vim
  91. - htop
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!