aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/bootstrap/handlers/main.yml3
-rw-r--r--roles/bootstrap/tasks/main.yml59
-rw-r--r--roles/bootstrap/templates/sudoers.d_ansible.j22
3 files changed, 64 insertions, 0 deletions
diff --git a/roles/bootstrap/handlers/main.yml b/roles/bootstrap/handlers/main.yml
new file mode 100644
index 0000000..6ecf94f
--- /dev/null
+++ b/roles/bootstrap/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart-sshd
+ command: service sshd restart
diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml
new file mode 100644
index 0000000..52eae5d
--- /dev/null
+++ b/roles/bootstrap/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+- debug: var=ansible_play_hosts
+- debug: var=deploy_user
+- debug: var=ansible_ssh_host
+- debug: var=ansible_ssh_port
+- debug: var=ansible_ssh_private_key_file
+
+- name: User - create deployment user account (group)
+ command: pw groupadd "{{ deploy_user }}" -g 999
+ ignore_errors: true
+
+- name: User - create deployment user account (user)
+ command: >
+ pw useradd "{{ deploy_user }}"
+ -u 999 -g "{{ deploy_user }}"
+ -m -d "/var/{{ deploy_user }}"
+ -C "Ansible Deployment"
+ ignore_errors: true
+
+- name: SSH - authorized_keys for the deployment user
+ authorized_key:
+ user: "{{ deploy_user }}"
+ state: present
+ key: "{{ lookup('file', item+'.pub') }}"
+ with_items:
+ - "{{ ansible_ssh_private_key_file }}"
+
+- name: sudo - no password for the deployment user
+ template:
+ src: sudoers.d_ansible.j2
+ dest: /usr/local/etc/sudoers.d/ansible
+ mode: 0440
+ validate: "visudo -cf %s"
+
+- name: SSH - disable password auth for the deployment user
+ blockinfile:
+ path: /etc/ssh/sshd_config
+ block: |
+ Match User {{ deploy_user }}
+ PasswordAuthentication no
+ backup: true
+ validate: "sshd -t -f %s"
+ notify: restart-sshd
+
+- name: SSH - disable empty password login
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ regexp: "^#?PermitEmptyPasswords"
+ line: "PermitEmptyPasswords no"
+ validate: "sshd -t -f %s"
+ notify: restart-sshd
+
+- name: SSH - disable root login
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ regexp: "^#?PermitRootLogin"
+ line: "PermitRootLogin no"
+ validate: "sshd -t -f %s"
+ notify: restart-sshd
diff --git a/roles/bootstrap/templates/sudoers.d_ansible.j2 b/roles/bootstrap/templates/sudoers.d_ansible.j2
new file mode 100644
index 0000000..6bd73ec
--- /dev/null
+++ b/roles/bootstrap/templates/sudoers.d_ansible.j2
@@ -0,0 +1,2 @@
+# Allow user `{{ deploy_user }}` do deployment without password
+{{ deploy_user }} ALL=(ALL) NOPASSWD: ALL