Files
@ 7382c88e89fc
Branch filter:
Location: freifunk/Ansible-Configuration/initial_server_setup/initial_setup.yml - annotation
7382c88e89fc
3.1 KiB
text/x-yaml
style: make initial-gw-setup conform MORE to the linter
Not perfect yet, but much better.
Issues right now lie with shell usage & permissions.
Not perfect yet, but much better.
Issues right now lie with shell usage & permissions.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | 1fa2261908ab a92b116dcc99 a92b116dcc99 a92b116dcc99 02fdd520d765 02fdd520d765 02fdd520d765 1fa2261908ab 1fa2261908ab 02fdd520d765 1fa2261908ab a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 1fa2261908ab a92b116dcc99 a92b116dcc99 1fa2261908ab a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 1fa2261908ab a92b116dcc99 1fa2261908ab a92b116dcc99 1fa2261908ab a92b116dcc99 1fa2261908ab a92b116dcc99 1fa2261908ab a92b116dcc99 1fa2261908ab 1fa2261908ab 1fa2261908ab 1fa2261908ab 1fa2261908ab 1fa2261908ab a92b116dcc99 1fa2261908ab 1fa2261908ab 1fa2261908ab 1fa2261908ab 1fa2261908ab 1fa2261908ab 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 1fa2261908ab 02fdd520d765 02fdd520d765 a92b116dcc99 02fdd520d765 1fa2261908ab 02fdd520d765 ad50e8774d77 a92b116dcc99 ad50e8774d77 1fa2261908ab 02fdd520d765 a92b116dcc99 02fdd520d765 a92b116dcc99 02fdd520d765 ad50e8774d77 a92b116dcc99 ad50e8774d77 1fa2261908ab 02fdd520d765 a92b116dcc99 1fa2261908ab 02fdd520d765 02fdd520d765 02fdd520d765 1fa2261908ab 02fdd520d765 a92b116dcc99 02fdd520d765 | ---
- name: Initial Server Setup
hosts: test
become: true
vars_files:
- ../user_vars.yml
vars:
password: Welcome1234
tasks:
- name: Update + Upgrade packages
ansible.builtin.apt:
upgrade: true
update_cache: true
tags: basic
- name: Install some basic packages
ansible.builtin.apt:
pkg:
- sudo
- git
- vim
- python3
- python3-pip
tags: basic
# Change Hostname
- name: "Update Hostnames"
ansible.builtin.hostname:
name: "{{ new_hostname }}"
tags: hostname
# Update /etc/hosts
- name: Make sure an IPV4 entry in /etc/hosts exists
ansible.builtin.lineinfile:
path: /etc/hosts
regexp: "^{{ ansible_default_ipv4.address }}"
line: "{{ ansible_default_ipv4.address }} {{ new_hostname }} {{ new_hostname }}.freifunk.lu"
state: present
tags: network,hostname,dns
- name: Make sure an IPV6 entry in /etc/hosts exists
ansible.builtin.lineinfile:
path: /etc/hosts
regexp: "^{{ ansible_default_ipv6.address }}"
line: "{{ ansible_default_ipv6.address }} {{ new_hostname }} {{ new_hostname }}.freifunk.lu"
state: present
tags: network,hostname,dns
# SSH security improvements (EmptyPass, PassAuth, RootLogin)
- name: Disable SSH Password Auth
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/disable_password_auth.conf
owner: root
mode: u=rw, g=r, o=r
content: |
'# {{ ansible_managed }}'
'PasswordAuthentication no'
tags: network,ssh
- name: Disable SSH Empty Password
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/disable_empty_password.conf
owner: root
mode: u=rw, g=r, o=r
content: |
'# {{ ansible_managed }}'
'PermitEmptyPasswords no'
tags: network,ssh
- name: Disable SSH Root Login
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/disable_root_login.conf
owner: root
mode: u=rw, g=r, o=r
content: |
'# {{ ansible_managed }}'
'PermitRootLogin no'
tags: network,ssh
- name: Reload SSHD
ansible.builtin.service:
name: "sshd"
state: "reloaded"
tags: network,ssh
# Create Freifunk Users
- name: Create member users
ansible.builtin.user:
name: "{{ item.username }}"
password: "{{ password | password_hash('sha512') }}"
update_password: "on_create"
groups:
- sudo
append: true
state: present
loop: "{{ users_member }}"
tags: users
- name: Create system users (no password)
ansible.builtin.user:
name: "{{ item.username }}"
groups:
- sudo
append: true
state: present
loop: "{{ users_system }}"
tags: users
- name: Add SSH key for users from vars
ansible.posix.authorized_key:
user: "{{ item.username }}"
state: present
key: "{{ lookup('file', {{ item.key_path }} ) }}"
tags: users
loop: "{{ users_member | union(users_system)}}"
|