Lots of little fixes and cleanup

3 years ago · 71e698e9ef
7 changed files with 33 additions and 31 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -6,10 +6,12 @@ preflight__timezone: UTC
 firewall__ssh_rule: limit

 # User
-admin_user: "admin"
-admin_group: "admin"
+user: "admin"
+group: "admin"

 # SSH Config
 ssh__port: 8822
 ssh__password_authentication: "no"
-ssh__address_family: "inet"
+ssh__address_family: "inet"
+
+ssh__keys: []
--- a/tasks/add_user.yml
+++ b/tasks/add_user.yml
@ -1,10 +1,10 @@
 ---
- name: add_user | Add admin group
+- name: linode_preflight | add_user | Add admin group
  group:
-    name: "{{ admin_group }}"
+    name: "{{ group }}"
    state: present

- name: add_user | Allow 'admin' group to have passwordless sudo
+- name: linode_preflight | add_user | Allow 'admin' group to have passwordless sudo
  lineinfile:
    dest: /etc/sudoers
    state: present
@ -13,27 +13,28 @@
    validate: 'visudo -cf %s'
  become: yes

- name: add_user | Add admin user
+- name: linode_preflight | add_user | Add admin user
  user:
-    name: "{{ admin_user }}"
-    group: "{{ admin_group }}"
+    name: "{{ user }}"
+    group: "{{ group }}"
    state: present
    create_home: yes
+    shell: /bin/bash
  become: yes

- name: add_user | Ensure admin user ssh directory exists
+- name: linode_preflight | add_user | Ensure admin user ssh directory exists
  file:
-    path: "/home/{{ admin_user }}/.ssh/"
+    path: "/home/{{ user }}/.ssh/"
    state: directory
-    owner: "{{ admin_user }}"
-    group: "{{ admin_group }}"
+    owner: "{{ user }}"
+    group: "{{ group }}"
    mode: 0700
  become: yes

- name: add_user | Add SSH keys to admin user
+- name: linode_preflight | add_user | Add SSH keys to admin user
  authorized_key:
-    user: "{{ admin_user }}"
+    user: "{{ user }}"
    state: present
    key: "{{ item.key }}"
-  with_items: "{{ ssh_keys }}"
+  with_items: "{{ ssh__keys }}"
  become: yes
--- a/tasks/ansible_dependencies.yml
+++ b/tasks/ansible_dependencies.yml
@ -1,5 +1,5 @@
 ---
- name: linode-preflight | Install Python
+- name: linode-preflight | ansible dependencies | Install Python
  raw: test -e /usr/bin/python || (sudo apt-get -y update && sudo apt-get install -y python2-minimal)
  register: common__pyout
  become: yes
--- a/tasks/firewall.yml
+++ b/tasks/firewall.yml
@ -1,11 +1,11 @@
 ---
- name: firewall | install ufw
+- name: linode_preflight | firewall | install ufw
  apt:
    pkg: ufw
    state: present
  become: yes

- name: firewall | Open ssh port
+- name: linode_preflight | firewall | Open ssh port
  ufw:
    state: enabled
    rule: "{{ firewall__ssh_rule }}"
@ -16,21 +16,21 @@
    - 8822
  become: yes

- name: firewall | deny all incoming connections
+- name: linode_preflight | firewall | deny all incoming connections
  ufw:
    state: enabled
    policy: deny
    direction: incoming
  become: yes

- name: firewall | allow all outgoing connections
+- name: linode_preflight | firewall | allow all outgoing connections
  ufw:
    state: enabled
    policy: allow
    direction: outgoing
  become: yes

- name: firewall | allow all connections from localhost
+- name: linode_preflight | firewall | allow all connections from localhost
  ufw:
    state: enabled
    from: "127.0.0.1"
@ -38,12 +38,11 @@
    proto: any
  become: yes

- name: firewall | Copy SSH config
+- name: linode_preflight | firewall | Copy SSH config
  template:
    src: "etc/ssh/sshd_config.j2"
    dest: "/etc/ssh/sshd_config"
    mode: 0644
    validate: '/usr/sbin/sshd -t -f %s'
  become: yes
-  notify: restart sshd
-
+  notify: restart sshd
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -2,4 +2,4 @@
 - include_tasks: ansible_dependencies.yml
 - include_tasks: preflight.yml
 - include_tasks: add_user.yml
- include_tasks: firewall.yml
+- include_tasks: firewall.yml # Always run last. Then swap Ansible user.
--- a/tasks/preflight.yml
+++ b/tasks/preflight.yml
@ -1,23 +1,23 @@
 ---
- name: preflight | install ntp
+- name: linode_preflight | preflight | install ntp
  apt:
    name: ntp
    state: present
  become: yes

- name: preflight | ensure ntp is running on boot
+- name: linode_preflight | preflight | ensure ntp is running on boot
  service:
    name: ntp
    state: started
    enabled: yes
  become: yes

- name: preflight | Set Timezone
+- name: linode_preflight | preflight | Set Timezone
  timezone:
    name: "{{ preflight__timezone }}"
  become: yes

- name: preflight | copy 10periodic unattended upgrades
+- name: linode_preflight | preflight | copy 10periodic unattended upgrades
  template:
    src: "etc/apt/apt.conf.d/10periodic.j2"
    dest: "/etc/apt/apt.conf.d/10periodic"
--- a/templates/etc/ssh/sshd_config.j2
+++ b/templates/etc/ssh/sshd_config.j2
@ -31,7 +31,7 @@ AddressFamily {{ ssh__address_family }}
 # Authentication:

 #LoginGraceTime 2m
-PermitRootLogin yes
+PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10