diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/bootstrap/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/bootstrap/tasks/main.yml | 59 | ||||
-rw-r--r-- | roles/bootstrap/templates/sudoers.d_ansible.j2 | 2 |
3 files changed, 64 insertions, 0 deletions
diff --git a/roles/bootstrap/handlers/main.yml b/roles/bootstrap/handlers/main.yml new file mode 100644 index 0000000..6ecf94f --- /dev/null +++ b/roles/bootstrap/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart-sshd + command: service sshd restart diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml new file mode 100644 index 0000000..52eae5d --- /dev/null +++ b/roles/bootstrap/tasks/main.yml @@ -0,0 +1,59 @@ +--- +- debug: var=ansible_play_hosts +- debug: var=deploy_user +- debug: var=ansible_ssh_host +- debug: var=ansible_ssh_port +- debug: var=ansible_ssh_private_key_file + +- name: User - create deployment user account (group) + command: pw groupadd "{{ deploy_user }}" -g 999 + ignore_errors: true + +- name: User - create deployment user account (user) + command: > + pw useradd "{{ deploy_user }}" + -u 999 -g "{{ deploy_user }}" + -m -d "/var/{{ deploy_user }}" + -C "Ansible Deployment" + ignore_errors: true + +- name: SSH - authorized_keys for the deployment user + authorized_key: + user: "{{ deploy_user }}" + state: present + key: "{{ lookup('file', item+'.pub') }}" + with_items: + - "{{ ansible_ssh_private_key_file }}" + +- name: sudo - no password for the deployment user + template: + src: sudoers.d_ansible.j2 + dest: /usr/local/etc/sudoers.d/ansible + mode: 0440 + validate: "visudo -cf %s" + +- name: SSH - disable password auth for the deployment user + blockinfile: + path: /etc/ssh/sshd_config + block: | + Match User {{ deploy_user }} + PasswordAuthentication no + backup: true + validate: "sshd -t -f %s" + notify: restart-sshd + +- name: SSH - disable empty password login + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#?PermitEmptyPasswords" + line: "PermitEmptyPasswords no" + validate: "sshd -t -f %s" + notify: restart-sshd + +- name: SSH - disable root login + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#?PermitRootLogin" + line: "PermitRootLogin no" + validate: "sshd -t -f %s" + notify: restart-sshd diff --git a/roles/bootstrap/templates/sudoers.d_ansible.j2 b/roles/bootstrap/templates/sudoers.d_ansible.j2 new file mode 100644 index 0000000..6bd73ec --- /dev/null +++ b/roles/bootstrap/templates/sudoers.d_ansible.j2 @@ -0,0 +1,2 @@ +# Allow user `{{ deploy_user }}` do deployment without password +{{ deploy_user }} ALL=(ALL) NOPASSWD: ALL |