personal_infra/ansible/infra/01_user_and_access_setup_playbook.yml

- name: Secure Debian VPS
  hosts: vipy
  vars_files:
    - ../vars.yml
  become: true

  tasks:
    - name: Update and upgrade apt packages
      apt:
        update_cache: yes
        upgrade: full
        autoremove: yes

    - name: Create new user
      user:
        name: "{{ new_user }}"
        groups: sudo
        shell: /bin/bash
        state: present
        create_home: yes

    - name: Set up SSH directory for new user
      file:
        path: "/home/{{ new_user }}/.ssh"
        state: directory
        mode: "0700"
        owner: "{{ new_user }}"
        group: "{{ new_user }}"

    - name: Copy current user's authorized_keys to new user
      copy:
        src: "/home/{{ ansible_user }}/.ssh/authorized_keys"
        dest: "/home/{{ new_user }}/.ssh/authorized_keys"
        owner: "{{ new_user }}"
        group: "{{ new_user }}"
        mode: "0600"
        remote_src: true

    - name: Allow new user to run sudo without password
      copy:
        dest: "/etc/sudoers.d/{{ new_user }}"
        content: "{{ new_user }} ALL=(ALL) NOPASSWD:ALL"
        owner: root
        group: root
        mode: "0440"

    - name: Disable root login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        backrefs: yes
      loop:
        - { regexp: "^#?PermitRootLogin .*", line: "PermitRootLogin no" }
        - {
            regexp: "^#?PasswordAuthentication .*",
            line: "PasswordAuthentication no",
          }

    - name: Restart SSH
      service:
        name: ssh
        state: restarted
thingies 2025-07-01 16:14:44 +02:00			`- name: Secure Debian VPS`
			`hosts: vipy`
			`vars_files:`
			`- ../vars.yml`
			`become: true`

			`tasks:`
			`- name: Update and upgrade apt packages`
			`apt:`
			`update_cache: yes`
			`upgrade: full`
			`autoremove: yes`

			`- name: Create new user`
			`user:`
			`name: "{{ new_user }}"`
			`groups: sudo`
			`shell: /bin/bash`
			`state: present`
			`create_home: yes`

			`- name: Set up SSH directory for new user`
			`file:`
			`path: "/home/{{ new_user }}/.ssh"`
			`state: directory`
			`mode: "0700"`
			`owner: "{{ new_user }}"`
			`group: "{{ new_user }}"`

			`- name: Copy current user's authorized_keys to new user`
			`copy:`
			`src: "/home/{{ ansible_user }}/.ssh/authorized_keys"`
			`dest: "/home/{{ new_user }}/.ssh/authorized_keys"`
			`owner: "{{ new_user }}"`
			`group: "{{ new_user }}"`
			`mode: "0600"`
			`remote_src: true`

			`- name: Allow new user to run sudo without password`
			`copy:`
			`dest: "/etc/sudoers.d/{{ new_user }}"`
			`content: "{{ new_user }} ALL=(ALL) NOPASSWD:ALL"`
			`owner: root`
			`group: root`
			`mode: "0440"`

			`- name: Disable root login`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: "{{ item.regexp }}"`
			`line: "{{ item.line }}"`
			`state: present`
			`backrefs: yes`
			`loop:`
			`- { regexp: "^#?PermitRootLogin .*", line: "PermitRootLogin no" }`
			`- {`
			`regexp: "^#?PasswordAuthentication .*",`
			`line: "PasswordAuthentication no",`
			`}`

			`- name: Restart SSH`
			`service:`
			`name: ssh`
			`state: restarted`