diff --git a/initial_server_setup/initial_setup.yml b/initial_server_setup/initial_setup.yml index 33e006e3a23f2b62ed8bb07cc797224b186f5fdf..fb19846af9aead7067057f395807d80af336b645 100644 --- a/initial_server_setup/initial_setup.yml +++ b/initial_server_setup/initial_setup.yml @@ -1,17 +1,15 @@ --- -# Defining the remote server where the package will be deployed - name: Initial Server Setup hosts: test - remote_user: root become: true - become_method: ansible.builtin.sudo + + vars_files: + - ../user_vars.yml vars: password: Welcome1234 - ipv4: var=hostvars[initial]['ansible_default_ipv4']['address'] - old_hostname: filter=ansible_hostname + tasks: - name: Update + Upgrade packages - become: true ansible.builtin.apt: upgrade: true update_cache: true @@ -41,7 +39,6 @@ line: "{{ ansible_default_ipv4.address }} {{ new_hostname }} {{ new_hostname }}.freifunk.lu" state: present tags: network,hostname,dns - - name: Make sure an IPV6 entry in /etc/hosts exists ansible.builtin.lineinfile: path: /etc/hosts @@ -50,50 +47,66 @@ state: present tags: network,hostname,dns - # Create Freifunk Users - - name: Create a login user fantawams - ansible.builtin.user: - name: fantawams - password: "{{ password | password_hash('sha512') }}" - groups: - - sudo - append: true - state: present - tags: users - - - name: Create a login user orimpe - ansible.builtin.user: - name: orimpe - password: "{{ password | password_hash('sha512') }}" - groups: - - sudo - append: true - state: present - tags: users + # SSH security improvements (EmptyPass, PassAuth, RootLogin) + - name: Disable SSH Password Auth + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/disable_password_auth.conf + owner: root + mode: u=rw, g=r, o=r + content: | + '# {{ ansible_managed }}' + 'PasswordAuthentication no' + tags: network,ssh + - name: Disable SSH Empty Password + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/disable_empty_password.conf + owner: root + mode: u=rw, g=r, o=r + content: | + '# {{ ansible_managed }}' + 'PermitEmptyPasswords no' + tags: network,ssh + - name: Disable SSH Root Login + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/disable_root_login.conf + owner: root + mode: u=rw, g=r, o=r + content: | + '# {{ ansible_managed }}' + 'PermitRootLogin no' + tags: network,ssh + - name: Reload SSHD + ansible.builtin.service: + name: "sshd" + state: "reloaded" + tags: network,ssh - - name: Create a login user metalgamer + # Create Freifunk Users + - name: Create member users ansible.builtin.user: - name: metalgamer + name: "{{ item.username }}" password: "{{ password | password_hash('sha512') }}" + update_password: "on_create" groups: - sudo append: true state: present + loop: "{{ users_member }}" tags: users - - - name: Create a login user xbr + - name: Create system users (no password) ansible.builtin.user: - name: xbr - password: "{{ password | password_hash('sha512') }}" + name: "{{ item.username }}" groups: - sudo append: true state: present + loop: "{{ users_system }}" tags: users - - name: Create a login user fflux - ansible.builtin.user: - name: fflux - password: "{{ password | password_hash('sha512') }}" + - name: Add SSH key for users from vars + ansible.posix.authorized_key: + user: "{{ item.username }}" state: present + key: "{{ lookup('file', {{ item.key_path }} ) }}" tags: users + loop: "{{ users_member | union(users_system)}}"