--- - name: Initial Server Setup hosts: initial become: true vars_files: - ../user_vars.yml vars: password: Welcome1234 ansible_managed: "This file is managed by Ansible. Do not modify." tasks: - name: Update + Upgrade packages ansible.builtin.apt: upgrade: true update_cache: true tags: basic - name: Install some basic packages ansible.builtin.apt: pkg: - sudo - git - vim - python3 - python3-pip tags: basic # Change Hostname - name: "Update Hostnames" ansible.builtin.hostname: name: "{{ inventory_hostname }}" tags: hostname # Update /etc/hosts - name: Make sure an IPV4 entry in /etc/hosts exists ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ ansible_default_ipv4.address }}" line: "{{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu" state: present tags: network,hostname,dns - name: Make sure an IPV6 entry in /etc/hosts exists ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ ansible_default_ipv6.address }}" line: "{{ ansible_default_ipv6.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu" state: present tags: network,hostname,dns # SSH security improvements (EmptyPass, PassAuth, RootLogin) - name: Disable SSH Password Auth ansible.builtin.copy: dest: /etc/ssh/sshd_config.d/disable_password_auth.conf owner: root mode: u=rw,g=r,o=r content: | # {{ ansible_managed }} PasswordAuthentication no tags: network,ssh register: pass_auth - name: Remove SSH Password Auth from sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regex: "^PasswordAuthentication" line: "# PasswordAuthentication No" tags: network,ssh register: pass_auth_sshd - name: Disable SSH Empty Password ansible.builtin.copy: dest: /etc/ssh/sshd_config.d/disable_empty_password.conf owner: root mode: u=rw,g=r,o=r content: | # {{ ansible_managed }} PermitEmptyPasswords no tags: network,ssh register: empty_pass - name: Remove SSH Empty Password from sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regex: "^PermitEmptyPasswords" line: "# PermitEmptyPasswords No" tags: network,ssh register: empty_pass_sshd - name: Disable SSH Root Login ansible.builtin.copy: dest: /etc/ssh/sshd_config.d/disable_root_login.conf owner: root mode: u=rw,g=r,o=r content: | # {{ ansible_managed }} PermitRootLogin no tags: network,ssh register: root_login - name: Remove SSH Root Login from sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regex: "^PermitRootLogin" line: "# PermitRootLogin No" tags: network,ssh register: root_login_sshd # Create Freifunk Users - name: Create member users ansible.builtin.user: name: "{{ item.username }}" password: "{{ password | password_hash('sha512') }}" update_password: "on_create" groups: - sudo append: true shell: /bin/bash state: present loop: "{{ users_member }}" tags: users - name: Create system users (no password) ansible.builtin.user: name: "{{ item.username }}" groups: - sudo append: true shell: /bin/bash state: present loop: "{{ users_system }}" tags: users - name: Change shell for root to bash ansible.builtin.user: name: "root" shell: /bin/bash tags: users - name: Add color etc. into root bashrc ansible.builtin.blockinfile: marker: "# {mark} ANSIBLE MANAGED BLOCK / Enhanced root bashrc" block: "{{ lookup('ansible.builtin.file', '{{ server_config_dir }}/bashrc_root_config') }}" path: /root/.bashrc tags: users - name: Add SSH key for users from vars ansible.posix.authorized_key: user: "{{ item.username }}" state: present key: "{{ lookup('file', item.key_path) }}" tags: users loop: "{{ users_member | union(users_system) }}" - name: Allow for password-less sudo community.general.sudoers: name: passwordless-sudo group: sudo commands: ALL nopassword: true tags: users - name: Reload SSHD ansible.builtin.service: name: "sshd" state: "reloaded" tags: network,ssh when: pass_auth.changed or pass_auth_sshd.changed or empty_pass.changed or empty_pass_sshd.changed or root_login.changed or root_login_sshd.changed