From 7a63ffd9493b0a8b636de26b8f0954cf08a2b9d9 Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Wed, 14 Feb 2018 00:18:24 +0800
Subject: Init ansible playbook for DFly VPS bootstrap

---
 roles/bootstrap/handlers/main.yml              |  3 ++
 roles/bootstrap/tasks/main.yml                 | 59 ++++++++++++++++++++++++++
 roles/bootstrap/templates/sudoers.d_ansible.j2 |  2 +
 3 files changed, 64 insertions(+)
 create mode 100644 roles/bootstrap/handlers/main.yml
 create mode 100644 roles/bootstrap/tasks/main.yml
 create mode 100644 roles/bootstrap/templates/sudoers.d_ansible.j2

(limited to 'roles')

diff --git a/roles/bootstrap/handlers/main.yml b/roles/bootstrap/handlers/main.yml
new file mode 100644
index 0000000..6ecf94f
--- /dev/null
+++ b/roles/bootstrap/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart-sshd
+  command: service sshd restart
diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml
new file mode 100644
index 0000000..52eae5d
--- /dev/null
+++ b/roles/bootstrap/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+- debug: var=ansible_play_hosts
+- debug: var=deploy_user
+- debug: var=ansible_ssh_host
+- debug: var=ansible_ssh_port
+- debug: var=ansible_ssh_private_key_file
+
+- name: User - create deployment user account (group)
+  command: pw groupadd "{{ deploy_user }}" -g 999
+  ignore_errors: true
+
+- name: User - create deployment user account (user)
+  command: >
+    pw useradd "{{ deploy_user }}"
+    -u 999 -g "{{ deploy_user }}"
+    -m -d "/var/{{ deploy_user }}"
+    -C "Ansible Deployment"
+  ignore_errors: true
+
+- name: SSH - authorized_keys for the deployment user
+  authorized_key:
+    user: "{{ deploy_user }}"
+    state: present
+    key: "{{ lookup('file', item+'.pub') }}"
+  with_items:
+    - "{{ ansible_ssh_private_key_file }}"
+
+- name: sudo - no password for the deployment user
+  template:
+    src: sudoers.d_ansible.j2
+    dest: /usr/local/etc/sudoers.d/ansible
+    mode: 0440
+    validate: "visudo -cf %s"
+
+- name: SSH - disable password auth for the deployment user
+  blockinfile:
+    path: /etc/ssh/sshd_config
+    block: |
+      Match User {{ deploy_user }}
+          PasswordAuthentication no
+    backup: true
+    validate: "sshd -t -f %s"
+  notify: restart-sshd
+
+- name: SSH - disable empty password login
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PermitEmptyPasswords"
+    line: "PermitEmptyPasswords no"
+    validate: "sshd -t -f %s"
+  notify: restart-sshd
+
+- name: SSH - disable root login
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PermitRootLogin"
+    line: "PermitRootLogin no"
+    validate: "sshd -t -f %s"
+  notify: restart-sshd
diff --git a/roles/bootstrap/templates/sudoers.d_ansible.j2 b/roles/bootstrap/templates/sudoers.d_ansible.j2
new file mode 100644
index 0000000..6bd73ec
--- /dev/null
+++ b/roles/bootstrap/templates/sudoers.d_ansible.j2
@@ -0,0 +1,2 @@
+# Allow user `{{ deploy_user }}` do deployment without password
+{{ deploy_user }}  ALL=(ALL)  NOPASSWD: ALL
-- 
cgit v1.2.2