Files @ e007d7c95bcf
Branch filter:

Location: freifunk/Ansible-Configuration/initial_server_setup/initial_setup.yml

e007d7c95bcf 5.0 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
x
fix: dhparam, not dhparam.pem
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
---
- name: Initial Server Setup
  hosts: initial
  become: true

  vars_files:
    - ../user_vars.yml
  vars:
    password: Welcome1234
    ansible_managed: "This file is managed by Ansible. Do not modify."

  tasks:
    - name: Update + Upgrade packages
      ansible.builtin.apt:
        upgrade: true
        update_cache: true
      tags: basic

    - name: Install some basic packages
      ansible.builtin.apt:
        pkg:
          - sudo
          - git
          - vim
          - python3
          - python3-pip
      tags: basic

    # Change Hostname
    - name: "Update Hostnames"
      ansible.builtin.hostname:
        name: "{{ inventory_hostname }}"
      tags: hostname

    # Update /etc/hosts
    - name: Make sure an IPV4 entry in /etc/hosts exists
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: "^{{ ansible_default_ipv4.address }}"
        line: "{{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
        state: present
      tags: network,hostname,dns
    - name: Make sure an IPV6 entry in /etc/hosts exists
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: "^{{ ansible_default_ipv6.address }}"
        line: "{{ ansible_default_ipv6.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"
        state: present
      tags: network,hostname,dns

    # SSH security improvements (EmptyPass, PassAuth, RootLogin)
    - name: Disable SSH Password Auth
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/disable_password_auth.conf
        owner: root
        mode: u=rw,g=r,o=r
        content: |
          # {{ ansible_managed }}
          PasswordAuthentication no
      tags: network,ssh
      register: pass_auth
    - name: Remove SSH Password Auth from sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regex: "^PasswordAuthentication"
        line: "# PasswordAuthentication No"
      tags: network,ssh
      register: pass_auth_sshd
    - name: Disable SSH Empty Password
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/disable_empty_password.conf
        owner: root
        mode: u=rw,g=r,o=r
        content: |
          # {{ ansible_managed }}
          PermitEmptyPasswords no
      tags: network,ssh
      register: empty_pass
    - name: Remove SSH Empty Password from sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regex: "^PermitEmptyPasswords"
        line: "# PermitEmptyPasswords No"
      tags: network,ssh
      register: empty_pass_sshd
    - name: Disable SSH Root Login
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/disable_root_login.conf
        owner: root
        mode: u=rw,g=r,o=r
        content: |
          # {{ ansible_managed }}
          PermitRootLogin no
      tags: network,ssh
      register: root_login
    - name: Remove SSH Root Login from sshd_config
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regex: "^PermitRootLogin"
        line: "# PermitRootLogin No"
      tags: network,ssh
      register: root_login_sshd
    - name: Reload SSHD
      ansible.builtin.service:
        name: "sshd"
        state: "reloaded"
      tags: network,ssh
      when: pass_auth.changed or pass_auth_sshd.changed or empty_pass.changed or empty_pass_sshd.changed or root_login.changed or root_login_sshd.changed

    # Create Freifunk Users
    - name: Create member users
      ansible.builtin.user:
        name: "{{ item.username }}"
        password: "{{ password | password_hash('sha512') }}"
        update_password: "on_create"
        groups:
          - sudo
        append: true
        shell: /bin/bash
        state: present
      loop: "{{ users_member }}"
      tags: users
    - name: Create system users (no password)
      ansible.builtin.user:
        name: "{{ item.username }}"
        groups:
          - sudo
        append: true
        shell: /bin/bash
        state: present
      loop: "{{ users_system }}"
      tags: users
    - name: Change shell for root to bash
      ansible.builtin.user:
        name: "root"
        shell: /bin/bash
      tags: users
    - name: Add color etc. into root bashrc
      ansible.builtin.blockinfile:
        marker: "# {mark} ANSIBLE MANAGED BLOCK / Enhanced root bashrc"
        block: "{{ lookup('ansible.builtin.file', '{{ server_config_dir }}/bashrc_root_config') }}"
        path: /root/.bashrc
      tags: users


    - name: Add SSH key for users from vars
      ansible.posix.authorized_key:
        user: "{{ item.username }}"
        state: present
        key: "{{ lookup('file', item.key_path) }}"
      tags: users
      loop: "{{ users_member | union(users_system) }}"

    - name: Allow for password-less sudo
      # Not done via community.general.sudoders because it does not support
      # sudo-ing into users without a passsword.
      ansible.builtin.copy:
        dest: /etc/sudoers.d/passwordless-sudo
        content: '%sudo   ALL=(ALL:ALL) NOPASSWD: ALL'
        owner: root
        group: root
        mode: '0440'
      tags: users
Server instance: saturn-2947281 This site is powered by Kallithea, which is © 2010–2021 by various authors & licensed under GPLv3. – Support