freifunk/Ansible-Configuration Files · initial_server_setup/initial_setup.yml

Files @ e786d8b876e9

Branch filter:

Location: freifunk/Ansible-Configuration/initial_server_setup/initial_setup.yml - annotation

e786d8b876e9 5.1 KiB text/x-yaml Show Source Show as Raw Download as Raw

feat: initial, only reload sshd if edited

1fa2261908ab
a92b116dcc99
794272b6e82a
a92b116dcc99
02fdd520d765
02fdd520d765
02fdd520d765
1fa2261908ab
1fa2261908ab
2d97a06ce475
02fdd520d765
1fa2261908ab
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
1fa2261908ab
a92b116dcc99
a92b116dcc99
1fa2261908ab
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
a92b116dcc99
1fa2261908ab
a92b116dcc99
1fa2261908ab
a92b116dcc99
5cef574d0b15
a92b116dcc99
1fa2261908ab
a92b116dcc99
1fa2261908ab
a92b116dcc99
1fa2261908ab
1fa2261908ab
5cef574d0b15
1fa2261908ab
1fa2261908ab
1fa2261908ab
a92b116dcc99
1fa2261908ab
1fa2261908ab
5cef574d0b15
1fa2261908ab
1fa2261908ab
1fa2261908ab
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
7ed8eb3962ad
02fdd520d765
50569dca4de8
50569dca4de8
e786d8b876e9
575ae5996f86
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
02fdd520d765
e786d8b876e9
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
7ed8eb3962ad
02fdd520d765
50569dca4de8
50569dca4de8
e786d8b876e9
575ae5996f86
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
02fdd520d765
e786d8b876e9
02fdd520d765
02fdd520d765
02fdd520d765
02fdd520d765
7ed8eb3962ad
02fdd520d765
50569dca4de8
50569dca4de8
e786d8b876e9
575ae5996f86
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
6cdeaac2f5a3
02fdd520d765
e786d8b876e9
1fa2261908ab
02fdd520d765
02fdd520d765
a92b116dcc99
02fdd520d765
1fa2261908ab
02fdd520d765
ad50e8774d77
a92b116dcc99
ad50e8774d77
9fbfaef337ec
1fa2261908ab
02fdd520d765
a92b116dcc99
02fdd520d765
a92b116dcc99
02fdd520d765
ad50e8774d77
a92b116dcc99
ad50e8774d77
9fbfaef337ec
1fa2261908ab
02fdd520d765
a92b116dcc99
b32e4e0e89fe
b32e4e0e89fe
b32e4e0e89fe
b32e4e0e89fe
b32e4e0e89fe
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
960c45b6d751
1fa2261908ab
02fdd520d765
02fdd520d765
02fdd520d765
1fa2261908ab
18d5f555bc8b
a92b116dcc99
18d5f555bc8b
b7fbfca60bae
b7fbfca60bae
b7fbfca60bae
b7fbfca60bae
b7fbfca60bae
b7fbfca60bae
4f3475af7798
4f3475af7798
4f3475af7798
4f3475af7798
4f3475af7798
4f3475af7798
b32e4e0e89fe
e786d8b876e9

---
- name: Initial Server Setup
  hosts: initial
  become: true

  vars_files:
    - ../user_vars.yml
  vars:
    password: Welcome1234
    ansible_managed: "This file is managed by Ansible. Do not modify."

  tasks:
    - name: Update + Upgrade packages
      ansible.builtin.apt:
        upgrade: true
        update_cache: true
      tags: basic

    - name: Install some basic packages
      ansible.builtin.apt:
        pkg:
          - sudo
          - git
          - vim
          - python3
          - python3-pip
      tags: basic

    # Change Hostname
    - name: "Update Hostnames"
      ansible.builtin.hostname:
        name: "{{ inventory_hostname }}"
      tags: hostname

    # Update /etc/hosts
    - name: Make sure an IPV4 entry in /etc/hosts exists
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: "^{{ ansible_default_ipv4.address }}"
        line: "{{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
        state: present
      tags: network,hostname,dns
    - name: Make sure an IPV6 entry in /etc/hosts exists
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: "^{{ ansible_default_ipv6.address }}"
        line: "{{ ansible_default_ipv6.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
        state: present
      tags: network,hostname,dns

    # SSH security improvements (EmptyPass, PassAuth, RootLogin)
    - name: Disable SSH Password Auth
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/disable_password_auth.conf
        owner: root
        mode: u=rw,g=r,o=r
        content: |
          # {{ ansible_managed }}
          PasswordAuthentication no
      register: pass_auth
    - name: Remove SSH Password Auth from sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regex: "^PasswordAuthentication"
        line: "# PasswordAuthentication No"
      tags: network,ssh
      register: pass_auth_sshd
    - name: Disable SSH Empty Password
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/disable_empty_password.conf
        owner: root
        mode: u=rw,g=r,o=r
        content: |
          # {{ ansible_managed }}
          PermitEmptyPasswords no
      register: empty_pass
    - name: Remove SSH Empty Password from sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regex: "^PermitEmptyPasswords"
        line: "# PermitEmptyPasswords No"
      tags: network,ssh
      register: empty_pass_sshd
    - name: Disable SSH Root Login
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/disable_root_login.conf
        owner: root
        mode: u=rw,g=r,o=r
        content: |
          # {{ ansible_managed }}
          PermitRootLogin no
      register: root_login
    - name: Remove SSH Root Login from sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regex: "^PermitRootLogin"
        line: "# PermitRootLogin No"
      tags: network,ssh
      register: root_login_sshd

    # Create Freifunk Users
    - name: Create member users
      ansible.builtin.user:
        name: "{{ item.username }}"
        password: "{{ password | password_hash('sha512') }}"
        update_password: "on_create"
        groups:
          - sudo
        append: true
        shell: /bin/bash
        state: present
      loop: "{{ users_member }}"
      tags: users
    - name: Create system users (no password)
      ansible.builtin.user:
        name: "{{ item.username }}"
        groups:
          - sudo
        append: true
        shell: /bin/bash
        state: present
      loop: "{{ users_system }}"
      tags: users
    - name: Change shell for root to bash
      ansible.builtin.user:
        name: "root"
        shell: /bin/bash
      tags: users
    - name: Add colorful PS1 in default bashrc
      ansible.builtin.blockinfile:
        path: /etc/bash.bashrc
        marker: "# {mark} ANSIBLE MANAGED BLOCK / Colorful PS1"
        block: |
          case "$TERM" in
              xterm-color|*-256color) color_prompt=yes;;
          esac

          if [ "$color_prompt" = yes ]; then
              PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
          else
              PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
          fi
          unset color_prompt force_color_prompt

    - name: Add SSH key for users from vars
      ansible.posix.authorized_key:
        user: "{{ item.username }}"
        state: present
        key: "{{ lookup('file', item.key_path) }}"
      tags: users
      loop: "{{ users_member | union(users_system) }}"

    - name: Allow for password-less sudo
      community.general.sudoers:
        name: passwordless-sudo
        group: sudo
        commands: ALL
        nopassword: true

    - name: Reload SSHD
      ansible.builtin.service:
        name: "sshd"
        state: "reloaded"
      tags: network,ssh
      when: pass_auth.changed or pass_auth_sshd.changed or empty_pass.changed or empty_pass_sshd.changed or root_login.changed or root_login_sshd.changed