freifunk/Ansible-Configuration Files · initial_server_setup/initial_setup.yml

Files @ 45915d21e971

Branch filter:

Location: freifunk/Ansible-Configuration/initial_server_setup/initial_setup.yml - annotation

45915d21e971 4.2 KiB text/x-yaml Show Source Show as Raw Download as Raw

fix: gateway is missing systemd-resolved by default

1fa2261908ab
a92b116dcc99
794272b6e82a
a92b116dcc99
02fdd520d765
02fdd520d765
02fdd520d765
1fa2261908ab
1fa2261908ab
2d97a06ce475
02fdd520d765
1fa2261908ab
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
1fa2261908ab
a92b116dcc99
a92b116dcc99
1fa2261908ab
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
1fa2261908ab
a92b116dcc99
1fa2261908ab
a92b116dcc99
5cef574d0b15
a92b116dcc99
1fa2261908ab
a92b116dcc99
1fa2261908ab
a92b116dcc99
1fa2261908ab
1fa2261908ab
5cef574d0b15
1fa2261908ab
1fa2261908ab
1fa2261908ab
a92b116dcc99
1fa2261908ab
1fa2261908ab
5cef574d0b15
1fa2261908ab
1fa2261908ab
1fa2261908ab
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
7ed8eb3962ad
02fdd520d765
50569dca4de8
50569dca4de8
575ae5996f86
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
7ed8eb3962ad
02fdd520d765
50569dca4de8
50569dca4de8
575ae5996f86
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
7ed8eb3962ad
02fdd520d765
50569dca4de8
50569dca4de8
575ae5996f86
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
02fdd520d765
1fa2261908ab
02fdd520d765
02fdd520d765
a92b116dcc99
02fdd520d765
1fa2261908ab
02fdd520d765
ad50e8774d77
a92b116dcc99
ad50e8774d77
9fbfaef337ec
1fa2261908ab
02fdd520d765
a92b116dcc99
02fdd520d765
a92b116dcc99
02fdd520d765
ad50e8774d77
a92b116dcc99
ad50e8774d77
9fbfaef337ec
1fa2261908ab
02fdd520d765
a92b116dcc99
b32e4e0e89fe
b32e4e0e89fe
b32e4e0e89fe
b32e4e0e89fe
b32e4e0e89fe
1fa2261908ab
02fdd520d765
02fdd520d765
02fdd520d765
1fa2261908ab
18d5f555bc8b
a92b116dcc99
18d5f555bc8b
b7fbfca60bae
b7fbfca60bae
b7fbfca60bae
b7fbfca60bae
b7fbfca60bae
b7fbfca60bae
4f3475af7798
4f3475af7798
4f3475af7798
4f3475af7798
4f3475af7798
4f3475af7798
b32e4e0e89fe

---
- name: Initial Server Setup
  hosts: initial
  become: true

  vars_files:
    - ../user_vars.yml
  vars:
    password: Welcome1234
    ansible_managed: "This file is managed by Ansible. Do not modify."

  tasks:
    - name: Update + Upgrade packages
      ansible.builtin.apt:
        upgrade: true
        update_cache: true
      tags: basic

    - name: Install some basic packages
      ansible.builtin.apt:
        pkg:
          - sudo
          - git
          - vim
          - python3
          - python3-pip
      tags: basic

    # Change Hostname
    - name: "Update Hostnames"
      ansible.builtin.hostname:
        name: "{{ inventory_hostname }}"
      tags: hostname

    # Update /etc/hosts
    - name: Make sure an IPV4 entry in /etc/hosts exists
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: "^{{ ansible_default_ipv4.address }}"
        line: "{{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
        state: present
      tags: network,hostname,dns
    - name: Make sure an IPV6 entry in /etc/hosts exists
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: "^{{ ansible_default_ipv6.address }}"
        line: "{{ ansible_default_ipv6.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
        state: present
      tags: network,hostname,dns

    # SSH security improvements (EmptyPass, PassAuth, RootLogin)
    - name: Disable SSH Password Auth
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/disable_password_auth.conf
        owner: root
        mode: u=rw,g=r,o=r
        content: |
          # {{ ansible_managed }}
          PasswordAuthentication no
    - name: Remove SSH Password Auth from sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regex: "^PasswordAuthentication"
        line: "# PasswordAuthentication No"
      tags: network,ssh
    - name: Disable SSH Empty Password
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/disable_empty_password.conf
        owner: root
        mode: u=rw,g=r,o=r
        content: |
          # {{ ansible_managed }}
          PermitEmptyPasswords no
    - name: Remove SSH Empty Password from sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regex: "^PermitEmptyPasswords"
        line: "# PermitEmptyPasswords No"
      tags: network,ssh
    - name: Disable SSH Root Login
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/disable_root_login.conf
        owner: root
        mode: u=rw,g=r,o=r
        content: |
          # {{ ansible_managed }}
          PermitRootLogin no
    - name: Remove SSH Root Login from sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regex: "^PermitRootLogin"
        line: "# PermitRootLogin No"
      tags: network,ssh

    # Create Freifunk Users
    - name: Create member users
      ansible.builtin.user:
        name: "{{ item.username }}"
        password: "{{ password | password_hash('sha512') }}"
        update_password: "on_create"
        groups:
          - sudo
        append: true
        shell: /bin/bash
        state: present
      loop: "{{ users_member }}"
      tags: users
    - name: Create system users (no password)
      ansible.builtin.user:
        name: "{{ item.username }}"
        groups:
          - sudo
        append: true
        shell: /bin/bash
        state: present
      loop: "{{ users_system }}"
      tags: users
    - name: Change shell for root to bash
      ansible.builtin.user:
        name: "root"
        shell: /bin/bash
      tags: users

    - name: Add SSH key for users from vars
      ansible.posix.authorized_key:
        user: "{{ item.username }}"
        state: present
        key: "{{ lookup('file', item.key_path) }}"
      tags: users
      loop: "{{ users_member | union(users_system) }}"

    - name: Allow for password-less sudo
      community.general.sudoers:
        name: passwordless-sudo
        group: sudo
        commands: ALL
        nopassword: true

    - name: Reload SSHD
      ansible.builtin.service:
        name: "sshd"
        state: "reloaded"
      tags: network,ssh