Files
@ eff5e9720cff
Branch filter:
Location: freifunk/Ansible-Configuration/initial_server_setup/initial_setup.yml - annotation
eff5e9720cff
5.0 KiB
text/x-yaml
fix: become when root perms are necessary
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 | 1fa2261908ab a92b116dcc99 794272b6e82a a92b116dcc99 02fdd520d765 02fdd520d765 02fdd520d765 1fa2261908ab 1fa2261908ab 2d97a06ce475 02fdd520d765 1fa2261908ab a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 1fa2261908ab a92b116dcc99 a92b116dcc99 1fa2261908ab a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 a92b116dcc99 1fa2261908ab a92b116dcc99 1fa2261908ab a92b116dcc99 5cef574d0b15 a92b116dcc99 1fa2261908ab a92b116dcc99 1fa2261908ab a92b116dcc99 1fa2261908ab 1fa2261908ab 5cef574d0b15 1fa2261908ab 1fa2261908ab 1fa2261908ab a92b116dcc99 1fa2261908ab 1fa2261908ab 5cef574d0b15 1fa2261908ab 1fa2261908ab 1fa2261908ab 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 7ed8eb3962ad 02fdd520d765 50569dca4de8 50569dca4de8 6c0efc1477df e786d8b876e9 575ae5996f86 6cdeaac2f5a3 6cdeaac2f5a3 6cdeaac2f5a3 6cdeaac2f5a3 02fdd520d765 e786d8b876e9 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 7ed8eb3962ad 02fdd520d765 50569dca4de8 50569dca4de8 6c0efc1477df e786d8b876e9 575ae5996f86 6cdeaac2f5a3 6cdeaac2f5a3 6cdeaac2f5a3 6cdeaac2f5a3 02fdd520d765 e786d8b876e9 02fdd520d765 02fdd520d765 02fdd520d765 02fdd520d765 7ed8eb3962ad 02fdd520d765 50569dca4de8 50569dca4de8 6c0efc1477df e786d8b876e9 575ae5996f86 6cdeaac2f5a3 6cdeaac2f5a3 6cdeaac2f5a3 6cdeaac2f5a3 02fdd520d765 e786d8b876e9 8cf2c6766e78 8cf2c6766e78 8cf2c6766e78 8cf2c6766e78 8cf2c6766e78 8cf2c6766e78 1fa2261908ab 02fdd520d765 02fdd520d765 a92b116dcc99 02fdd520d765 1fa2261908ab 02fdd520d765 ad50e8774d77 a92b116dcc99 ad50e8774d77 9fbfaef337ec 1fa2261908ab 02fdd520d765 a92b116dcc99 02fdd520d765 a92b116dcc99 02fdd520d765 ad50e8774d77 a92b116dcc99 ad50e8774d77 9fbfaef337ec 1fa2261908ab 02fdd520d765 a92b116dcc99 b32e4e0e89fe b32e4e0e89fe b32e4e0e89fe b32e4e0e89fe b32e4e0e89fe 95993c623d68 960c45b6d751 95993c623d68 95993c623d68 95993c623d68 6c0efc1477df 1fa2261908ab 95993c623d68 02fdd520d765 02fdd520d765 02fdd520d765 1fa2261908ab 18d5f555bc8b a92b116dcc99 18d5f555bc8b b7fbfca60bae b7fbfca60bae 5c17d88f3e11 5c17d88f3e11 5c17d88f3e11 5c17d88f3e11 5c17d88f3e11 5c17d88f3e11 5c17d88f3e11 5c17d88f3e11 6c0efc1477df | ---
- name: Initial Server Setup
hosts: initial
become: true
vars_files:
- ../user_vars.yml
vars:
password: Welcome1234
ansible_managed: "This file is managed by Ansible. Do not modify."
tasks:
- name: Update + Upgrade packages
ansible.builtin.apt:
upgrade: true
update_cache: true
tags: basic
- name: Install some basic packages
ansible.builtin.apt:
pkg:
- sudo
- git
- vim
- python3
- python3-pip
tags: basic
# Change Hostname
- name: "Update Hostnames"
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
tags: hostname
# Update /etc/hosts
- name: Make sure an IPV4 entry in /etc/hosts exists
ansible.builtin.lineinfile:
path: /etc/hosts
regexp: "^{{ ansible_default_ipv4.address }}"
line: "{{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
state: present
tags: network,hostname,dns
- name: Make sure an IPV6 entry in /etc/hosts exists
ansible.builtin.lineinfile:
path: /etc/hosts
regexp: "^{{ ansible_default_ipv6.address }}"
line: "{{ ansible_default_ipv6.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
state: present
tags: network,hostname,dns
# SSH security improvements (EmptyPass, PassAuth, RootLogin)
- name: Disable SSH Password Auth
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/disable_password_auth.conf
owner: root
mode: u=rw,g=r,o=r
content: |
# {{ ansible_managed }}
PasswordAuthentication no
tags: network,ssh
register: pass_auth
- name: Remove SSH Password Auth from sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regex: "^PasswordAuthentication"
line: "# PasswordAuthentication No"
tags: network,ssh
register: pass_auth_sshd
- name: Disable SSH Empty Password
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/disable_empty_password.conf
owner: root
mode: u=rw,g=r,o=r
content: |
# {{ ansible_managed }}
PermitEmptyPasswords no
tags: network,ssh
register: empty_pass
- name: Remove SSH Empty Password from sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regex: "^PermitEmptyPasswords"
line: "# PermitEmptyPasswords No"
tags: network,ssh
register: empty_pass_sshd
- name: Disable SSH Root Login
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/disable_root_login.conf
owner: root
mode: u=rw,g=r,o=r
content: |
# {{ ansible_managed }}
PermitRootLogin no
tags: network,ssh
register: root_login
- name: Remove SSH Root Login from sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regex: "^PermitRootLogin"
line: "# PermitRootLogin No"
tags: network,ssh
register: root_login_sshd
- name: Reload SSHD
ansible.builtin.service:
name: "sshd"
state: "reloaded"
tags: network,ssh
when: pass_auth.changed or pass_auth_sshd.changed or empty_pass.changed or empty_pass_sshd.changed or root_login.changed or root_login_sshd.changed
# Create Freifunk Users
- name: Create member users
ansible.builtin.user:
name: "{{ item.username }}"
password: "{{ password | password_hash('sha512') }}"
update_password: "on_create"
groups:
- sudo
append: true
shell: /bin/bash
state: present
loop: "{{ users_member }}"
tags: users
- name: Create system users (no password)
ansible.builtin.user:
name: "{{ item.username }}"
groups:
- sudo
append: true
shell: /bin/bash
state: present
loop: "{{ users_system }}"
tags: users
- name: Change shell for root to bash
ansible.builtin.user:
name: "root"
shell: /bin/bash
tags: users
- name: Add color etc. into root bashrc
ansible.builtin.blockinfile:
marker: "# {mark} ANSIBLE MANAGED BLOCK / Enhanced root bashrc"
block: "{{ lookup('ansible.builtin.file', '{{ server_config_dir }}/bashrc_root_config') }}"
path: /root/.bashrc
tags: users
- name: Add SSH key for users from vars
ansible.posix.authorized_key:
user: "{{ item.username }}"
state: present
key: "{{ lookup('file', item.key_path) }}"
tags: users
loop: "{{ users_member | union(users_system) }}"
- name: Allow for password-less sudo
# Not done via community.general.sudoders because it does not support
# sudo-ing into users without a passsword.
ansible.builtin.copy:
dest: /etc/sudoers.d/passwordless-sudo
content: '%sudo ALL=(ALL:ALL) NOPASSWD: ALL'
owner: root
group: root
mode: '0440'
tags: users
|