Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- - hosts: all
- gather_facts: false
- pre_tasks:
- - name: install python needed for ansible modules to work
- raw: sudo bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qy python-minimal)"
- tasks:
- - name: Add server user
- user: name={{ ubuntu_common_server_user_name }}
- password="{{ ubuntu_common_server_password | password_hash('sha512') }}"
- shell=/bin/bash
- update_password=always
- - name: Add authorized keys for server user
- authorized_key: user={{ ubuntu_common_server_user_name }} key="{{ lookup('file', item) }}"
- with_items: ubuntu_common_server_public_keys
- - name: Add server user to sudoers
- lineinfile: dest=/etc/sudoers
- regexp="{{ ubuntu_common_server_user_name }} ALL"
- line="{{ ubuntu_common_server_user_name }} ALL=(ALL) ALL"
- state=present
- - name: update APT package cache
- apt: update_cache=yes cache_valid_time=3600
- - name: Upgrade APT to the latest packages
- apt: upgrade=safe
- - name: Install required packages
- apt: state=installed pkg={{ item }}
- with_items: ubuntu_common_required_packages
- - name: Setup ufw
- ufw: state=enabled policy=deny
- - name: Allow ssh traffic
- ufw: rule=allow port={{ ubuntu_common_ssh_port}} proto=tcp
- - name: Set up Postfix to relay mail
- debconf: name=postfix
- question='{{ item.question }}'
- value='{{ item.value }}'
- vtype='{{ item.vtype }}'
- with_items:
- - { question: 'postfix/mailname', value: 'pixellane.com', vtype: 'string' }
- - { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }
- - name: Email log summary daily
- lineinfile: dest=/etc/cron.daily/00logwatch
- regexp="^/usr/sbin/logwatch"
- line="/usr/sbin/logwatch --output mail --mailto {{ ubuntu_common_logwatch_email }} --detail high"
- state=present create=yes
- - name: Disallow password authentication
- lineinfile: dest=/etc/ssh/sshd_config
- regexp="^PasswordAuthentication"
- line="PasswordAuthentication no"
- state=present
- notify: Restart ssh
- - name: Disallow root SSH access
- lineinfile: dest=/etc/ssh/sshd_config
- regexp="^PermitRootLogin"
- line="PermitRootLogin-= no"
- state=present
- notify: Restart ssh
- tags:
- - becareful
- handlers:
- - name: Restart ssh
- service: name=ssh state=restarted
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement