72 lines
2 KiB
YAML
72 lines
2 KiB
YAML
- name: Secure Debian VPS
|
|
hosts: vipy,watchtower,spacey
|
|
vars_files:
|
|
- ../infra_vars.yml
|
|
become: true
|
|
|
|
tasks:
|
|
- name: Update and upgrade apt packages
|
|
apt:
|
|
update_cache: yes
|
|
upgrade: full
|
|
autoremove: yes
|
|
|
|
- name: Create new user
|
|
user:
|
|
name: "{{ new_user }}"
|
|
groups: sudo
|
|
shell: /bin/bash
|
|
state: present
|
|
create_home: yes
|
|
|
|
- name: Set up SSH directory for new user
|
|
file:
|
|
path: "/home/{{ new_user }}/.ssh"
|
|
state: directory
|
|
mode: "0700"
|
|
owner: "{{ new_user }}"
|
|
group: "{{ new_user }}"
|
|
|
|
- name: Copy current user's authorized_keys to new user
|
|
copy:
|
|
src: "{{ (ansible_user == 'root') | ternary('/root/.ssh/authorized_keys', '/home/' + ansible_user + '/.ssh/authorized_keys') }}"
|
|
dest: "/home/{{ new_user }}/.ssh/authorized_keys"
|
|
owner: "{{ new_user }}"
|
|
group: "{{ new_user }}"
|
|
mode: "0600"
|
|
remote_src: true
|
|
|
|
- name: Allow new user to run sudo without password
|
|
copy:
|
|
dest: "/etc/sudoers.d/{{ new_user }}"
|
|
content: "{{ new_user }} ALL=(ALL) NOPASSWD:ALL"
|
|
owner: root
|
|
group: root
|
|
mode: "0440"
|
|
|
|
- name: Disable root login
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
backrefs: yes
|
|
loop:
|
|
- { regexp: "^#?PermitRootLogin .*", line: "PermitRootLogin no" }
|
|
- {
|
|
regexp: "^#?PasswordAuthentication .*",
|
|
line: "PasswordAuthentication no",
|
|
}
|
|
|
|
- name: Ensure PasswordAuthentication is set to no in cloud-init config
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config.d/50-cloud-init.conf
|
|
regexp: "^PasswordAuthentication"
|
|
line: "PasswordAuthentication no"
|
|
create: yes
|
|
backup: yes
|
|
|
|
- name: Restart SSH
|
|
service:
|
|
name: ssh
|
|
state: restarted
|